scheme |
benefits |
attack scenario analysis |
security analysis |
security |
|
hard Part signature |
1, can be self-research, development and maintenance are relatively simple. 2, no cost to purchase. |
assuming conditions 1:ys site existence XSS vulnerability. Assuming condition 2: The attacker has already obtained a user account password. 1, if condition 1 is established, an attacker could invoke the control interface to read the hardware signature of the victim's current machine and send it back to the attacker's machine. 2, if the condition 1 is not established, the attacker can also be planted on the attacker's machine Trojan to steal hardware signatures. |
attackers only acquire hardware features , you can log in to the victim's account on your own machine, which results in a long-term control of the attack (unless the attacker binds the hardware signature of the machine). |
|
|
Soft certificate |
1, system complex, It's almost impossible to develop a system on your own and it's complicated to maintain. 2, the system is expensive. |
assuming conditions 1:ys site existence XSS vulnerability. Assuming condition 2: The attacker has already obtained a user account password. Assume condition 3: Soft certificate private key is set to non-exportable. 1, assuming that condition 1 is established, the vulnerability can be used by an attacker to impersonate the user login ys, after obtaining a valid cookie to send back to the attacker's machine for login. 2, if the condition 1 is not established, the attacker can also be planted on the attacker's machine Trojan to impersonate the user login ys and steal valid cookies. |
because certificates cannot be exported , so no matter what kind of attack, will need to operate on the attacker's machine, so, once the video 7 cookie expires after 24 hours, but also on the attacker's machine to obtain a cookie again, unable to achieve an attack long-term control effect, the disadvantage is that the certificate is installed in the file system, It can be used as soon as it is powered on. |
medium height |
|
Hard Certificate (Ukey) |
With soft certificate |
Assume condition 1: The attacker has already obtained a user account password. The attacker on the user machine to implant Trojan Horse, and full control of the user machine, waiting for the user to insert Ukey, through phishing and other means to allow the user to enter the Ukey password after the sensitive operation, or directly steal the Ukey password, on the user's machine to perform any sensitive operation (such as transfer, etc.). |
Because certificates cannot be exported, no matter what kind of attack, they need to be operated on the attacker's machine and wait for the attacker to insert Ukey, so the cost of the attack is high. |
High |
NA |