[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comment on xauth and hybrid



At 7:11 PM -0400 7/21/99, Y. John Jiang wrote:

>I did not mean the hacker needed to extract the key.  The scenario
>is like this:
>1. A trojan is installed on a user's PC (btw, this has become very
>popular).
>2. The pass phrase is captured by monitoring the user's keystrokes.
>3. The hacker logs into the PC and then logs into the user's bank account
>which requires certificate authentication.
>
>True, a well-engineered hardware device does not allow the capture of
>the pass phrase.  Adding a small keyboard on the hard token would help.
>However, the popular hard tokens on the market all rely on the PC
>keyboard for pass phrase input.

I agree that this sort of TH attack would be successful, but this is only
slightly different from having a TH take advantage of an already-enabled
token of any sort, irrespectove of keystroke capture.  Users are not likely
to be willing to have to re-enter a PIN/passphrase every time they wat to
enable a token.  Once per "session" is about it.  So, having a key[ad on a
token help a bit, but also is not a complete solution.

Steve


References: