Hi,
While musing about some related issues today, a major possible problem with
pcsc-lite's security model cropped up. It doesn't appear that there is any
way to restrict smart card access by user. This means that any user on a
multi-user system can use any smart card in any reader attached to that
system. Now, access to security-critical features on smart cards is
generally controlled by a PIN/password, but nearly all cards remember their
authentication state. Indeed, they almost have to. This means that once I
present my PIN to the card to, say, sign an e-mail, any other user logged
onto my system can also use the credentials on my card.
Is it even possible for pcscd to enforce user-level access controls? Ideally,
the first process to access the card (well, *ideally* the process that
presents the PIN, but pcscd can't know that) should be able to tell pcscd to
reject connections to that card from processes owned by other users. The
only way for a different user account to obtain access to the card should be
to reset the card. Allowing any user process to reset the card in the reader
enables a DOS attack, but that's *much* less of a problem than the ability to
impersonate another by using his card credentials.
Is there some mechanism in pcsc-lite to prevent this sort of attack? If not,
is it even possible for pcscd to identify the owner of the processes that
connect to its socket?
I'm really hoping I've missed something here...
Thanks,
Shawn.
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
