[Cryptography] Keeping Malware from Using Security Hardware

[Peter Gutmann]

Kent Borg <kentborg at borg.org> writes:

>My specific question: What is to prevent malware from sniffing the user typed
>information (probably username and password), and then using the Yubikey
>itself to do its part of an evil authentication?

Nothing.  That's the thing with smart cards (and more generally HSMs), they're
a magic box that does anything the attacker asks of them.  This is why we've
had malware signed with manufacturer/software vendor HSMs.

For smart cards this was recognised as far back as the late 1980s with cards
with a built-in display and keypad, the first I know of being the Super Smart
Card from 1989.  They never took off, and nor did the later card readers that
did the same thing.

This probably also answers your next question, "so why hasn't anyone made a
product that fixes this?".  And in the meantime smart phones came along giving
a good-enough second factor for most purposes.

Peter.