Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

From: Toomas Soome (Toomas.Soome_at_microlink.ee)
Date: 08/04/04

  • Next message: Gary E. Miller: "Re: FW: [Full-Disclosure] Question for DNS pros"
    Date: Wed, 04 Aug 2004 23:11:48 +0300
    To: lionel.ferette@belnet.be
    
    

    Lionel Ferette wrote:

    > Note that this is true for almost all card readers on the market, not only for
    > Datakey's. Having worked for companies using crypto smart cards, I have
    > conducted a few risk analysis about that. The conclusion has always been that
    > if the PIN must be entered from a PC, and the attacker has means to install
    > software on the system (through directed viruses, social engineering, etc),
    > the game's over.
    >
    > The only solution against that problem is to have the PIN entered using a
    > keypad on the reader. Only then does the cost of an attack raise
    > significantly. But that is opening another can of worms, because there is
    > (was?) no standard for card readers with attached pin pad (at the time,
    > PC/SCv2 wasn't finalised - is it?).
    >

    at least some cards are supporting des passphrases to implement secured
    communication channels but I suppose this feature is not that widely in
    use.... how many card owners are prepared to remember both PIN codes
    and passphrases...

    toomas


  • Next message: Gary E. Miller: "Re: FW: [Full-Disclosure] Question for DNS pros"

    Relevant Pages

    • Risks Digest 27.73
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... A few corporations and government are strangling democratized technology. ... Why is the US a decade behind Europe on 'chip and pin' cards? ...
      (comp.risks)
    • Re: Chip and Pin not so safe after all?
      ... I definately do not agree with you about security at PIN entry devices ... ATMs where you have security zones around the ATM. ... banks own savings cards maybe. ... cards have been replaced with Chip & PIN or Chip and Signature (no ...
      (uk.people.silversurfers)
    • Re: Placement Of Chip & Pin Terminals
      ... memorised the PIN. ... cards that can be very high indeed. ... have several accomplices in place, one to spy on the shopper, another ... but these days the criminals know where the real ...
      (uk.legal)
    • Re: ICSF and VISA/MasterCard?amex reference list
      ... Also, being inboard, IBM crypto is inherently more secure than attached ... High-performance mainframe becames a super PIN cracking ... debit cards have the PIN written on them. ... and can be used to create counterfeit cards. ...
      (bit.listserv.ibm-main)
    • Re: [Full-Disclosure] Clear text password exposure in Datakeys tokens and smartcards
      ... Having worked for companies using crypto smart cards, ... > if the PIN must be entered from a PC, and the attacker has means to install ... Only then does the cost of an attack raise ... at least some cards are supporting des passphrases to implement secured ...
      (Full-Disclosure)