Hello Alon,
On Fri, May 6, 2011 at 20:22, Alon Bar-Lev <alon.bar...@gmail.com> wrote:
>> For the sake of usability, exclusive mode should only be used *if needed*.
>> From security perspective, it does not really matter, because if your host
>> is compromised, such software tricks are worthless. But daily smart card
>> usage usually means using different applications.
>>
>
> This is incorrect.
> Computer may be compromised in so many levels.
True.
> It is true that if someone has total (root) control over the computer,
> he may do whatever.
> However, other none privileged user MUST NOT be able to gain access to
> resources used by other users.
That's desirable yet not a trivial task. Definition (and enforcement)
of a "current user" in both technical and physical terms is not always
obvious, looking into what has happened with Linux in this world (with
*Kit, device management daemons etc) is IMHO a confession of this, as
it still seems like a moving target. And at what level should this be
enforced? Sometimes a USB flash disk is used as a "personal device"
yet from filesystem it looks like any other path that can have
different permissions. And then there is the question of
interoperability with Windows.
Some systems are designed to be a "single user desktop" even if built
on top of multiuser system, some try to retain multiuser properties.
> Well, you can argue: if I modify the access to readers to a specific
> user, then no other user can access the device anyway.
> If this is enough for users, let it be.
> I don't think it is enough, as this state is not much different than
> using file based cryptographic.
Yes, that's why IMHO a second physical channel (like a pinpad) should
be used if needed. With a PIN entry on the device for every use
tightly controlling access to the key if required. Once you use
cookies, then stealing it from an application and abusing it is
possible, even if made complicated by technological means. For generic
PKI smart cards, in my opinion, priority one is guaranteeing the
secrecy of key material, priority two is controlling access to
operations with the key. Smart card is a physical device that
guarantees key secrecy, pinpad reader (or equivalent physical device,
biometric for example) guarantees access control that is not easy to
tamper with. Everything else is software security.
> I know we do not agree on this, but I have never seen hardware
> cryptography using any similar assumption.
I would not draw a hard border of agreeing/not agreeing :) I just
think that there's a reasonable risk/cost ratio at the moment, as well
as is the situation with other similar "fundamental problems" with PKI
(like embedding secure messaging keys in middleware? why use them at
all in this case?). And that an ultimate solution that would work on
all platforms (and all interfaces, including other than PKCS#11) and
all usage patterns (where there is no "current user" for a token) is
easily doable. Ideas on how to more tightly control access to the
devices while keeping support for multiple applications with multiple
cryptographic APIs are most welcome. But it should work sensibly with
pinpad readers and cards that do not support the mentioned cookie
machinery as well.
What I believe in is providing a real life working solution by default
("Ubuntu style", which manages this nicely by doing some "stupid
things" along the way), with the option of tweaking for setups with
specific requirements or just more paranoid people.
Cheers,
Martin
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
