Re: Comment on xauth and hybrid

[Stephen Kent <kent@bbn.com>]

At 4:11 PM -0400 7/21/99, Y. John Jiang wrote:

>Certificate authentication is prone to key board monitoring attack.
>If one leaves the hard token in the PCMCIA slot, it is as weak as
>a soft token.

No well-engineered hardware device should be capable of having it's private
key(s) extracted via a software attack effected through a PC to which it is
connected.  Depending on the engineering of the device one might carry out
various forms of close-in attacks, if the device is enabled and physically
available to an attacker.  Certainly one could initiate new SAs that the
user might not really want to authorize (but that's a problem in any case).
What eacctly did you have in mind when you made the above statement/

Steve

---

Follow-Ups:

• Re: Comment on xauth and hybrid
• From: "Y. John Jiang" <yjj@cw.net>

References:

• Re: Comment on xauth and hybrid
• From: Dennis Glatting <dennis.glatting@software-munitions.com>
• Re: Comment on xauth and hybrid
• From: "Y. John Jiang" <yjj@cw.net>

---

• Prev by Date: Re: Comment on xauth and hybrid
• Next by Date: Checking incoming traffic against SPD
• Prev by thread: Re: Comment on xauth and hybrid
• Next by thread: Re: Comment on xauth and hybrid
• Index(es):
  • Main
  • Thread