Menu
▾
▴
Re: [Opensc-devel] Prevent "proxyfying" PKCS#11
|
From: Dirk-Willem v. G. <di...@we...> - 2015-09-25 09:23:51
|
On 25 Sep 2015, at 10:36, helpcrypto helpcrypto <hel...@gm...> wrote: > I hope you can find a solution for my problem, cause I can't. (And perhaps it's impossible) > Based on my knowledge of PKCS#11 standard, the spec is exposed to a MITM attack that steals the PIN when an application invokes C_Login against a PK#11 library. ... > Sadly, using Pinpads is out of scope/beyond our possibilities. This won’t solve your problem directly - but may still be useful (especially as I am guessing that as you are CC-ing the Mozilla list - that you are concerned with browsers). One way we got things this to pass munster was to carefully make a threatmap/actor analysies - and then meet the various compliance & infosec expectations was by 1) dispensing with the PIN and 2) having a `what you know’ as part of the interaction through the browser (only). As this concerned access to something which was only accessible through the browser - we essentially argued that if one where able to manipulate the local browser/keyboard/system to such an extent as to be able to capture the PIN near the PKCS library/driver - one would almost most certainly be able to get `at’ whatever the chipcard & pin where protecting `in’ the browser. Dw |
