Uploaded image for project: 'GPII - Global Public Inclusive Infrastructure'
  1. GPII - Global Public Inclusive Infrastructure
  2. GPII-3936

Prevent the security issue with using a USB with NOVA computers to create GPII key and prefs safe



    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:


      Problematic use case:
      We don't want anyone writing any old junk to a USB stick, sticking it into a machine at NOVA, and then being entitled to auto-provision a vault based on this. This implies that user listeners need to be aware of which client credential they should present:

      • The Windows auto-keyin listener at NOVA should be the only one which presents the NOVA credential.
      • The USB user listener should only supply the standard credential.

      This implies we need an extra field in the client credentials as well - in addition to "can create prefs safe" there should also be "can auto-provision key". In fact auto-provisioning keys is the bigger risk - people could cause this by writing junk to a USB drive.

      This is the site that will need to be patched - accessRequester.js line 61:

          invokers: {
              getAccessToken: {
                  funcName: "gpii.accessRequester.getAccessToken",
                  args: ["{that}.clientCredentialDataSource", "{that}.accessTokenDataSource", "{arguments}.0"]
                                                                                              // gpiiKey

      In addition to the gpiiKey we will now also need to supply a string identifying the kind of user listener which triggered the logon. We will then have some kind of table here which can then be directed in order to determine which credential to supply. Right now it seems that any physical user listener (RFID, USB) will be of one type, and the Windows autokey-in will be of the other. This table may get bigger in future.

      The "old credential" has always been and is still just sitting there in the code. It's just a matter of the accessRequester choosing to use it for physical tokens.




            cli@ocad.ca Cindy Qi Li
            cli@ocad.ca Cindy Qi Li
            0 Vote for this issue
            1 Start watching this issue