[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comment on xauth and hybrid
Steve,
I did not mean the hacker needed to extract the key. The scenario
is like this:
1. A trojan is installed on a user's PC (btw, this has become very
popular).
2. The pass phrase is captured by monitoring the user's keystrokes.
3. The hacker logs into the PC and then logs into the user's bank account
which requires certificate authentication.
True, a well-engineered hardware device does not allow the capture of
the pass phrase. Adding a small keyboard on the hard token would help.
However, the popular hard tokens on the market all rely on the PC
keyboard for pass phrase input.
John
On Wed, 21 Jul 1999, Stephen Kent wrote:
> At 4:11 PM -0400 7/21/99, Y. John Jiang wrote:
>
> >Certificate authentication is prone to key board monitoring attack.
> >If one leaves the hard token in the PCMCIA slot, it is as weak as
> >a soft token.
>
> No well-engineered hardware device should be capable of having it's private
> key(s) extracted via a software attack effected through a PC to which it is
> connected. Depending on the engineering of the device one might carry out
> various forms of close-in attacks, if the device is enabled and physically
> available to an attacker. Certainly one could initiate new SAs that the
> user might not really want to authorize (but that's a problem in any case).
> What eacctly did you have in mind when you made the above statement/
>
> Steve
>
Follow-Ups:
References: