[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comment on xauth and hybrid
At 7:11 PM -0400 7/21/99, Y. John Jiang wrote:
>I did not mean the hacker needed to extract the key. The scenario
>is like this:
>1. A trojan is installed on a user's PC (btw, this has become very
>popular).
>2. The pass phrase is captured by monitoring the user's keystrokes.
>3. The hacker logs into the PC and then logs into the user's bank account
>which requires certificate authentication.
>
>True, a well-engineered hardware device does not allow the capture of
>the pass phrase. Adding a small keyboard on the hard token would help.
>However, the popular hard tokens on the market all rely on the PC
>keyboard for pass phrase input.
I agree that this sort of TH attack would be successful, but this is only
slightly different from having a TH take advantage of an already-enabled
token of any sort, irrespectove of keystroke capture. Users are not likely
to be willing to have to re-enter a PIN/passphrase every time they wat to
enable a token. Once per "session" is about it. So, having a key[ad on a
token help a bit, but also is not a complete solution.
Steve
References: