RE: Backport of the integer overflow in the brk system call

To: debian-devel@lists.debian.org
Subject: RE: Backport of the integer overflow in the brk system call
From: "Julian Mehnle" <lists@mehnle.net>
Date: Wed, 3 Dec 2003 21:25:46 +0100
Message-id: <[🔎] EHEOIEJMBFBKCKMPHFJKGEKFEKAA.lists@mehnle.net>
Reply-to: julian@mehnle.net
In-reply-to: <[🔎] 20031203180233.GA13606@lukas.schuldei.com>

Andreas Schuldei wrote:
> * Russell Coker (russell@coker.com.au) [031203 04:03]:
> > I have sent a message to Werner asking if the GPG smart-card device
> > could be re-implemented with a USB interface.  I think that a USB
> > dongle with GPG technology would be a good option as most developer's
> > machines already have USB support.
> 
> as discussed in depth in an earlier c't magazine (german) usb is
> not a save bus to use for security relevant applications, since
> it allows for recording and backplaying of command sequences.

What article was that?

Anyhow, a serial port or a PS/2 keyboard port is "unsafe" in the same way.  A secure card reader solution would use a challenge/response procedure, so a simple replay attack could never be successful.  Additionally, a secure card reader device would be sealed (and deactivate/destroy itself upon physical break-in) and require the user to enter a PIN/password to use the cryptographic key stored on the card.  What would make such a card reader solution particularly unsafe when connected through USB?

Reply to:

References:
- Re: Backport of the integer overflow in the brk system call
  - From: Andreas Schuldei <andreas@schuldei.org>

Prev by Date: Re: Revival of the signed debs discussion
Next by Date: Re: Debian packages and freedesktop.org (Gnome, KDE, etc) menu entries
Previous by thread: Re: Backport of the integer overflow in the brk system call
Next by thread: Re: Backport of the integer overflow in the brk system call
Index(es):
- Date
- Thread