[36013] in bugtraq
Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
daemon@ATHENA.MIT.EDU (Kevin Sheldrake)
Fri Aug 6 21:08:42 2004
To: "Lyal Collins" <lyalc@ozemail.com.au>,
"'Toomas Soome'" <Toomas.Soome@microlink.ee>, lionel.ferette@belnet.be
Cc: bugtraq@securityfocus.com
Message-ID: <opsca5z20byl48zk@wintony>
Date: Fri, 06 Aug 2004 12:25:04 +0100
From: "Kevin Sheldrake" <kev@electriccat.co.uk>
Content-Type: text/plain; format=flowed; delsp=yes; charset=utf-8
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
In-Reply-To: <011201c47b57$130f0860$6500a8c0@kpllaptop>
I don't doubt the widespread inherent nature of this vulnerability.
Smart cards used with PCs as the man-machine-interface is simply asking
for trouble IMHO. Unless I'm mistaken, there is very little that can be
done about this without redesigning/replacing current smart cards.
Obviously, bespoke MMIs (such as door access systems) are less vulnerable
to this issue. My problem is that people seem to view smart cards as a
panacea, as a place to store digital certificates or 'identities' and then
use them to 'prove' who they are.
Don't even start me on biometrics; if there is a PC (or anything that runs
software) between the reader and the authenticator then couldn't you just
replace the reader with another bit of software that pretends to be a
reader? Where can I get the biometric info required? Police stations
have a large quantity of finger prints, as have practically every surface
you've touched recently...
Kev
> This exposure, of PIN compromise, is genric in all smartcard products
> today,
> unless a dedicated PINpad or biometric-sensor equipped readers are used
> -
> putting cost of ownership towards $1000 in some cases.
> PC/SC doesn't help - as a data interfcae API spec, it excludes human
> interface aspects. STIP (Small Terminal Interoperability Platform at
> www.stip.org) moves in this direction, but has evolved into many
> variants to
> interoperate with proprietary vendors and proprietary industry standards.
>
> The challenges in putting biometric sensors or PINpads onto cards include
> the need to conform to ISO 7816 for form factor, physical resilience etc,
> and that the cards are unpowered. Or, someone redesigns the entire
> form-factor, user interface model, portability and business model -
> something that has previously failed to go anywhere.
>
> Something like a mobile phone or PDA is a good compromise tool to this
> overall exposure, imho.
>
> Lyal
>
>
>
> -----Original Message-----
> From: Kevin Sheldrake [mailto:kev@electriccat.co.uk]
> Sent: Thursday, 5 August 2004 8:39 PM
> To: Toomas Soome; lionel.ferette@belnet.be
> Cc: vuln@hexview.com; full-disclosure@lists.netsys.com;
> bugtraq@securityfocus.com
> Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's
> tokens and smartcards
>
>
> Surely if the user is entering a passphrase then the same problem exists
> -
> that of effectively eavesdropping that communication from the keyboard?
>
> Ignoring the initial expense for a moment, wouldn't it have made a lot of
> sense to include the keypad actually on the cards? Obviously, card
> readers would need to be contructed such that the keypad part of the card
> would be exposed during use. The keypad security could then rely on the
> tamper resistant properties of the rest of the card.
>
> From a costs perspective, I would guess that the actual per-card cost
> increase would be minimal if hundreds of millions of these cards were
> produced.
>
> Kev
>
>
>> Lionel Ferette wrote:
>>
>>> Note that this is true for almost all card readers on the market, not
>>> only for Datakey's. Having worked for companies using crypto smart
>>> cards, I have conducted a few risk analysis about that. The conclusion
>>> has always been that if the PIN must be entered from a PC, and the
>>> attacker has means to install software on the system (through directed
>>> viruses, social engineering, etc), the game's over.
>>> The only solution against that problem is to have the PIN entered
>>> using a keypad on the reader. Only then does the cost of an attack
>>> raise significantly. But that is opening another can of worms, because
>>> there is (was?) no standard for card readers with attached pin pad (at
>>> the time, PC/SCv2 wasn't finalised - is it?).
>>>
>>
>> at least some cards are supporting des passphrases to implement secured
>> communication channels but I suppose this feature is not that widely in
>> use.... how many card owners are prepared to remember both PIN codes
>> and passphrases...
>>
>> toomas
>>
>>
>
>
>
--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd
