Too permissive ACLs in epass2003.profile - privkeys deletable, pubkeys and certs replacable

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Too permissive ACLs in epass2003.profile - privkeys deletable, pubkeys and certs replacable

Ondrej Mikle
Hi,

I noticed that ACLs of many files created with default
/usr/share/opensc/epass2003.profile are quite permissive, compared to rest of
the profiles for other cards.

Comparison with entersafe.profile for instance:

1. Pubkey files (30xx) can be deleted or replaced by anyone without PIN
        epass2003: ACL = *=NONE;
        entersafe: ACL   = *=NEVER,READ=NONE,UPDATE=$PIN;
2. Certificate files (31xx) can be deleted or replaced by anyone without PIN
        epass2003: ACL = READ=NONE,UPDATE=NONE;
        entersafe: ACL   = *=NEVER,READ=NONE,UPDATE=$PIN;
3. Private key files (29xx) can be deleted by anyone without PIN

Turns out that it's not as simple as changing the default ACLs. Generating a
keypair on the card first creates 30xx pubkey file, then writes the pubkey into
the file in epass2003_gen_key(). That requires UPDATE privilege, but setting
UPDATE=$PIN will fail since writing to pubkey file happens before calling
epass2003_pin_cmd().


Question: Is there any reason why such ACL behavior is desired or should it be
fixed to authenticate to card if $PIN is required for UPDATE/DELETE?

Regards,
  Ondrej

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Too permissive ACLs in epass2003.profile - privkeys deletable, pubkeys and certs replacable

Martin Paljak-4
Hello,
On Tue, Mar 5, 2013 at 2:09 PM, Ondrej Mikle <[hidden email]> wrote:
> 1. Pubkey files (30xx) can be deleted or replaced by anyone without PIN
> 2. Certificate files (31xx) can be deleted or replaced by anyone without PIN
> 3. Private key files (29xx) can be deleted by anyone without PIN

Have you checked that the card actually does what the ACL-s say it should do?

> Question: Is there any reason why such ACL behavior is desired
Driver author can tell more.

> or should it be
> fixed to authenticate to card if $PIN is required for UPDATE/DELETE?

Probably should be fixed. But keep in mind that if you lose control
over your card (for example your machine is compromised and unwanted
code is running on it) the card can be "bricked" by blocking all PIN
codes and other authentication keys. The ability to delete/overwrite
files if a card is lost is probably an obvious risk. I don't remember
if it was the case with Feitian cards or not, but there is also a
"wipe all" command.

Martin








>
> Regards,
>   Ondrej
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Too permissive ACLs in epass2003.profile - privkeys deletable, pubkeys and certs replacable

Ondrej Mikle
On 03/05/2013 01:46 PM, Martin Paljak wrote:
> Hello,
> On Tue, Mar 5, 2013 at 2:09 PM, Ondrej Mikle <[hidden email]> wrote:
>> 1. Pubkey files (30xx) can be deleted or replaced by anyone without PIN
>> 2. Certificate files (31xx) can be deleted or replaced by anyone without PIN
>> 3. Private key files (29xx) can be deleted by anyone without PIN
>
> Have you checked that the card actually does what the ACL-s say it should do?

Yes, I've tested it. In 3F00/5015 DF, using 'rm 2900', 'rm 3000' in
opensc-explorer or equivalent APDU deletes the file. Pubkeys and certs can be
replaced using 'put' or delete/create/put sequence (to account for different
filesize).

After changing ACL to UPDATE/DELETE to $PIN or NEVER, it works as expected.

>> Question: Is there any reason why such ACL behavior is desired
> Driver author can tell more.

I'd be interested as well.

>> or should it be
>> fixed to authenticate to card if $PIN is required for UPDATE/DELETE?
>
> Probably should be fixed. But keep in mind that if you lose control
> over your card (for example your machine is compromised and unwanted
> code is running on it) the card can be "bricked" by blocking all PIN
> codes and other authentication keys.

Attacker could do that by erasing card and creating undeletable MF 3F00
(DELETE=$PIN ACL). I accidentally managed to achieve that on one token while
trying to understand how the epass2003 ACLs work.

> I don't remember
> if it was the case with Feitian cards or not, but there is also a
> "wipe all" command.

Do you happen to have reference to the "wipe all" APDU by any chance? I haven't
seen such instruction anywhere.

Ondrej

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Too permissive ACLs in epass2003.profile - privkeys deletable, pubkeys and certs replacable

Martin Paljak-4
On Tue, Mar 5, 2013 at 5:12 PM, Ondrej Mikle <[hidden email]> wrote:
>> I don't remember
>> if it was the case with Feitian cards or not, but there is also a
>> "wipe all" command.
>
> Do you happen to have reference to the "wipe all" APDU by any chance? I haven't
> seen such instruction anywhere.

pkcs15-init -E ? With the standard Feitian card it seems to work.

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel