Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Smart card proposal

from [Lyal Collins] Network Security [Permanent Link]
Subject: RE: Smart card proposal
Date: Sat, 29 Jan 2005 09:34:11 +1100 
IMHO, the security issues of 'web sites communicating with tokens' are
poorly addressed.

If the site is hacker controlled (the main page site, advertising, image
sources etc), then anything can happen, good or bad.  While we want to good
to occur, the bad is just as important to control
Tokens effectively have a 'power of attorney' over one's authenticated
services.
Being realtively, dumb, they follow a few simple rules to generate output
that commits the human to the consequences of the input.

Human-mediated input/output, and indeed control over the 'power of attorney'
processing is severely lacking in the products available today.  No
solutions appear to provide strong, ongoing control by the user of how, when
and why the device is used to authenticate/encrypt transaction related
content.

A refocussing on products that address business and user needs is necessary.
I fear that most infrastructure and products in this space is too insecure
or dumb to actually do any of the necessary  human mediated secure
communication and authentication

Lyal
 


-----Original Message-----
From: Koh Gim Leng [mailto:kohgimleng@gmail.com] 
Sent: Friday, 28 January 2005 2:10 PM
To: Richard M. Smith
Cc: webappsec@securityfocus.com; maburns@safenet-inc.com
Subject: Re: Smart card proposal


On Tue, 25 Jan 2005 16:45:52 -0500, Richard M. Smith
<rms@computerbytesman.com> wrote:

Hi,

What seems more user-friendly to me is that a single USB 

key device needs to

be sharable between 5 credit cards, rather than having 5 

separate devices.


What I still do not understand is how a Web site 

communicates with the USB

key device.


Web site communicates to a web browser which in term communicates to a
set of standard APIs known as PKCS#11. Every smart card token or USB
token vendor who wants to sell their token will provide you with their
PKCS#11. Being a standard, your browser will know which API to call
within the PKCS#11.

If the token is in the form smart card, then the PKCS#11 provided by
the smart card vendor will include means to call the smart card
drivers provided as well. If the token is in the form of USB, then the
PKCS#11 provided by the USB vendor will inculdes means to call the USB
drivers as well. Bottom line - whatever happens belows PKCS#1l should
be transparent to the web browser (or any PKI enabled application).

Regards
Sam Koh
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Off topic: what is sensitive information on a website?, Michael Silk
Next by Date:  Re: phishing pages, Paul Laudanski
Previous by Thread:  Re: Smart card proposal, Koh Gim Leng
Next by Thread:  RE: Smart card proposal, maburns
Indexes:  [Date] [Thread] [Top] [All Lists]