Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 08/05/04

  • Next message: Lee Dilkie: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
    To: "Toomas Soome" <Toomas.Soome@microlink.ee>, lionel.ferette@belnet.be
    Date: Thu, 05 Aug 2004 11:39:18 +0100
    
    

    Surely if the user is entering a passphrase then the same problem exists -
    that of effectively eavesdropping that communication from the keyboard?

    Ignoring the initial expense for a moment, wouldn't it have made a lot of
    sense to include the keypad actually on the cards? Obviously, card
    readers would need to be contructed such that the keypad part of the card
    would be exposed during use. The keypad security could then rely on the
    tamper resistant properties of the rest of the card.

     From a costs perspective, I would guess that the actual per-card cost
    increase would be minimal if hundreds of millions of these cards were
    produced.

    Kev

    > Lionel Ferette wrote:
    >
    >> Note that this is true for almost all card readers on the market, not
    >> only for Datakey's. Having worked for companies using crypto smart
    >> cards, I have conducted a few risk analysis about that. The conclusion
    >> has always been that if the PIN must be entered from a PC, and the
    >> attacker has means to install software on the system (through directed
    >> viruses, social engineering, etc), the game's over.
    >> The only solution against that problem is to have the PIN entered
    >> using a keypad on the reader. Only then does the cost of an attack
    >> raise significantly. But that is opening another can of worms, because
    >> there is (was?) no standard for card readers with attached pin pad (at
    >> the time, PC/SCv2 wasn't finalised - is it?).
    >>
    >
    > at least some cards are supporting des passphrases to implement secured
    > communication channels but I suppose this feature is not that widely in
    > use.... how many card owners are prepared to remember both PIN codes
    > and passphrases...
    >
    > toomas
    >
    >

    -- 
    Kevin Sheldrake MEng MIEE CEng CISSP
    Electric Cat (Bournemouth) Ltd
    

  • Next message: Lee Dilkie: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"

    Relevant Pages

    • Re: [Full-Disclosure] Clear text password exposure in Datakeys tokens and smartcards
      ... that of effectively eavesdropping that communication from the keyboard? ... Obviously, card ... readers would need to be contructed such that the keypad part of the card ... > at least some cards are supporting des passphrases to implement secured ...
      (Bugtraq)
    • Re: [Full-Disclosure] Clear text password exposure in Datakeys tokens and smartcards
      ... that of effectively eavesdropping that communication from the keyboard? ... Obviously, card ... readers would need to be contructed such that the keypad part of the card ... > at least some cards are supporting des passphrases to implement secured ...
      (Full-Disclosure)
    • RE: [Full-Disclosure] Clear text password exposure in Datakeys tokens and smartcards
      ... [Full-Disclosure] Clear text password exposure in Datakey's ... Obviously, card ... readers would need to be contructed such that the keypad part of the card ... > at least some cards are supporting des passphrases to implement secured ...
      (Full-Disclosure)
    • Re: DNC to acramatic 850 suggestions
      ... This thread was about 850SX Cincy/Vickers controls, to be honest, adding an RS232 with an 850sx control is not the end of the dnc problems. ... I have seen quite a few DNC programs fail on the 850sx because of the lack of Windows communication. ... I installed an ethernet card in the Cincy shop pc and connected it to an ethernet card in my office machine and never had a problem with drip feeding that Cincy again. ...
      (alt.machines.cnc)
    • Re: DNC to acramatic 850 suggestions
      ... You can purchase communication cards for less than $10 at your local ... computer shop. ... If the graphics card ... friendly, the best way to dnc off an 850sx is via DCDNC, and Dos mode on ...
      (alt.machines.cnc)