From: Kurt Seifried (bt@seifried.org)
Date: Thu Feb 17 2005 - 16:50:28 EST
> Hi,
>
> Doing an internal pen-test for a company i came across
> a mysql db that contains the Cryptocard tokens
> database (root with no password)
>
> The most interesting table (duh !!!) is the
> "EncryptedKey". Obviously this is not good. I made the
> usual recommandation to secure the db but i was
> curious to know if any one had experience with
> Cryptocard tokens and what is uses to encrypt that
> field. I presume they use the PIN of each user...???
>
> The size of the field is 48 characters (3DES ?)
>
> I would appreciate any info
>
> Thank you
>
> John
Cryptocard's (at least the older ones) have the ability to have their secret
loaded from a machine (you have to buy a special cryptocard docking bay, the
card itself has three metal contacts on it if memory serves). Thus let's say
a user accidentially breaks, flushes or otherwise mangles their cryptocard
(tough but I'm sure someone has done it) you can load a new card up with the
same secret and be back in business. Additionally because of the way this
technology works both sides (the client and the authentication system) have
to have the shared secret (this is the whole point of these systems, you
have a shared secret that is exchanged securely). The database is unlikely
to be the user's pin numbers (which in any event would be mostly worthless)
and is much more likely to be the actual shared secrets (VERY useful, just
load one into a cryptocard or the software for palm/etc and be the CEO for a
day). Hopefully this shared secret is encrypted as the table name implies.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:16 EDT