- Other
- SEE MORE
- classical
- general
- talk
- News
- Family
- Bürgerfunk
- pop
- Islam
- soul
- jazz
- Comedy
- humor
- wissenschaft
- opera
- baroque
- gesellschaft
- theater
- Local
- alternative
- electro
- rock
- rap
- lifestyle
- Music
- como
- RNE
- ballads
- greek
- Buddhism
- deportes
- christian
- Technology
- piano
- djs
- Dance
- dutch
- flamenco
- social
- hope
- christian rock
- academia
- afrique
- Business
- musique
- ελληνική-μουσική
- religion
- World radio
- Zarzuela
- travel
- World
- NFL
- media
- Art
- public
- Sports
- Gospel
- st.
- baptist
- Leisure
- Kids & Family
- musical
- club
- Culture
- Health & Fitness
- True Crime
- Fiction
- children
- Society & Culture
- TV & Film
- gold
- kunst
- música
- gay
- Natural
- a
- francais
- bach
- economics
- kultur
- evangelical
- tech
- Opinion
- Government
- gaming
- College
- technik
- History
- Jesus
- Health
- movies
- radio
- services
- Church
- podcast
- Education
- international
- Transportation
- kids
- podcasts
- philadelphia
- Noticias
- love
- sport
- Salud
- film
- and
- 4chan
- Disco
- Stories
- fashion
- Arts
- interviews
- hardstyle
- entertainment
- humour
- medieval
- literature
- alma
- Cultura
- video
- TV
- Science
- en
What de.fac2? (camp2023)
b'Hardware FIDO U2F tokens are security devices which are meant to defend user second factor keys from physical and remote attacks.\\nIn this presentation different security features and implemented by FIDO U2F tokens and how they are meant to protect a user from various attack scenarios.\\nWe will focus on the open source implementation of FIDO U2F token developed and Common Criteria certified by Federal Office for Information Security (BSI).\\nHaving access not only to the source code of the token applet, but the certification documents as well gives a unique opportunity of \\nFinally, a design flaw in the solution is discussed (CVE-2022-33172) and an attack on hardware token security feature will be presented, which could allow an attacker in control of user PC to fake user presence and execute a number of unauthorized sensitive operations.\\n\\nDe.fac2 is a Common Criteria (CC) and FIDO certified FIDO U2F Java Card applet developed and certified by Federal Office for Information Security (Bundesamt f\\xfcr Sicherheit in der Informationstechnik).\\nThis solutions gives a unique opportunity to look at the internals of a FIDO U2F token as well as certification claims and product security features.\\n\\nThe presentation introduces the process of identification of the design flaw in the product in under an hour as well as the testing of a vulnerability without access to the actual physical device.\\n\\nThe vulnerability was disclosed to the Bundesamt f\\xfcr Sicherheit in der Informationstechnik and addressed in the updated commit\\nhttps://github.com/BSI-Bund/de.fac2\\n\\nThe acknowledged bug was addressed by the developer with the following statement:\\n\\nThe following attack scenario was reported to us by Sergei Volokitin: A reset command send by the reader to the card circumvents the user presence check. \\nFor example, malware on the host PC / smartphone could send a reset command to the reader programmatically. \\nIt is not possible for the card to distinguish if the reader sent a reset command or if it was physically removed from the reader. \\nWith reference to this scenario, the Guidance Documentation (AGD) and the Security Target (ST) were updated in July 2022 in a "Assurance Maintenance".\\nabout this event: https://pretalx.c3voc.de/camp2023/talk/DA8G9D/'