[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, full-disclosure-admin@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
From: Bart.Lansing@xxxxxxxxx
Date: Fri, 6 Aug 2004 08:53:30 -0500

Guys...

RSA has been doing PIN cards for ages...I don't get the hangup on 
SmartCards vs "plain old" something you have/something you know two factor

http://www.rsasecurity.com/node.asp?id=1311

Cost of entry/ownership is nothing remotely close to the $1000 you mention 
Lyal...in fact, it's under 1/10 of that on a per seat basis...

Why get hung up on it being a smartcard, when you can do two factor with a 
much lower entry cost and do it, frankly, easier?

Bart Lansing
Manager, Desktop Services
Kohl's IT


full-disclosure-admin@xxxxxxxxxxxxxxxx wrote on 08/05/2004 08:45:33 PM:

> This exposure, of PIN compromise, is genric in all smartcard products 
today,
> unless a dedicated PINpad or biometric-sensor  equipped readers are used 
-
> putting cost of ownership towards $1000 in some cases.
> PC/SC doesn't help - as a data interfcae API spec, it excludes human
> interface aspects.  STIP (Small Terminal Interoperability Platform at
> www.stip.org) moves in this direction, but has evolved into many 
variants to
> interoperate with proprietary vendors and proprietary industry 
standards.
> 
> The challenges in putting biometric sensors or PINpads onto cards 
include
> the need to conform to ISO 7816 for form factor, physical resilience 
etc,
> and that the cards are unpowered.  Or, someone redesigns the entire
> form-factor, user interface model, portability and business model -
> something that has previously failed to go anywhere.
> 
> Something like a mobile phone or PDA is a good compromise tool to this
> overall exposure, imho.
> 
> Lyal
> 
> 
> 
> -----Original Message-----
> From: Kevin Sheldrake [mailto:kev@xxxxxxxxxxxxxxxxx] 
> Sent: Thursday, 5 August 2004 8:39 PM
> To: Toomas Soome; lionel.ferette@xxxxxxxxx
> Cc: vuln@xxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxx;
> bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's
> tokens and smartcards
> 
> 
> Surely if the user is entering a passphrase then the same problem exists 
- 
> that of effectively eavesdropping that communication from the keyboard?
> 
> Ignoring the initial expense for a moment, wouldn't it have made a lot 
of 
> sense to include the keypad actually on the cards?  Obviously, card 
> readers would need to be contructed such that the keypad part of the 
card 
> would be exposed during use.  The keypad security could then rely on the 
 
> tamper resistant properties of the rest of the card.
> 
>  From a costs perspective, I would guess that the actual per-card cost 
> increase would be minimal if hundreds of millions of these cards were 
> produced.
> 
> Kev
> 
> 
> > Lionel Ferette wrote:
> >
> >> Note that this is true for almost all card readers on the market, not 
 
> >> only for Datakey's. Having worked for companies using crypto smart 
> >> cards, I have conducted a few risk analysis about that. The 
conclusion 
> >> has always been that if the PIN must be entered from a PC, and the 
> >> attacker has means to install software on the system (through 
directed 
> >> viruses, social engineering, etc), the game's over.
> >>  The only solution against that problem is to have the PIN entered 
> >> using a keypad on the reader. Only then does the cost of an attack 
> >> raise significantly. But that is opening another can of worms, 
because 
> >> there is (was?) no standard for card readers with attached pin pad 
(at 
> >> the time, PC/SCv2 wasn't finalised - is it?).
> >>
> >
> > at least some cards are supporting des passphrases to implement 
secured 
> > communication channels but I suppose this feature is not that widely 
in 
> > use....  how many card owners are prepared to remember both PIN codes 
> > and passphrases...
> >
> > toomas
> >
> >
> 
> 
> 
> -- 
> Kevin Sheldrake MEng MIEE CEng CISSP
> Electric Cat (Bournemouth) Ltd
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


CONFIDENTIALITY NOTICE: 
This is a transmission from Kohl's Department Stores, Inc.
and may contain information which is confidential and proprietary.
If you are not the addressee, any disclosure, copying or distribution or use of 
the contents of this message is expressly prohibited.
If you have received this transmission in error, please destroy it and notify 
us immediately at 262-703-7000.

CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves the 
right to retrieve and read any message created, sent and received.  Kohl's 
reserves the right to monitor messages by authorized Kohl's Associates at any 
time
without any further consent.

Follow-Ups:
- RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Dana Hudes

Prev by Date: [OpenPKG-SA-2004.036] OpenPKG Security Advisory (cvstrac)
Next by Date: Re: GNU/Linux 'info Buffer Overflow
Previous by thread: [OpenPKG-SA-2004.036] OpenPKG Security Advisory (cvstrac)
Next by thread: RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Index(es):
- Date
- Thread