Patrik Martinsson wrote: > >> Is there also a limit to the number of unlock attempts? What > >> happens when the limit is reached? > Yes there is, if you enter the wrong puk 8 times your card will be > locked and not usable anymore.
It would be nice for usability if the PUK counter is displayed with each prompt, and if the case of an unusable card is also handled. > >> Any memory used to store a PIN should IMO be mlock()ed before > >> the first use. > Ok cool, as a security measure that is ? Yes, so that the kernel doesn't write the PIN to swap. > >> Any memory used to store a PIN should IMO be erased as soon as > >> is no longer needed. > You mean, write over the data with rubbish and then free it ? (I > thought it was enough with just freeing it, but i see you got a > point) Freeing isn't enough, the contents still remains in RAM and at some point the same area is allocated by some other app. Of course root can also steal anything from RAM at any time. Turning off power is not immediately helpful either. See the coldboot attack. > >> I would reuse e.g. the OpenSSH read_passphrase() code instead: > Didn't even think about that. I don't think it does mlock() so please look into that, but maybe it will allow for a nicer user interface with ssh-askpass. I use x11-ssh-askpass which I find very quick, simple and clean. //Peter _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
