[43901] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: RSA SecurID SID800 Token vulnerable by design

daemon@ATHENA.MIT.EDU (Travis H.)
Sun Sep 17 11:26:09 2006

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 16 Sep 2006 23:40:55 -0500
From: "Travis H." <solinym@gmail.com>
To: "Leichter, Jerry" <leichter_jerrold@emc.com>,
	"Thor Lancelot Simon" <tls@rek.tjls.com>,
	"Vin McLellan" <vin@theworld.com>, cryptography@metzdowd.com
In-Reply-To: <20060915063204.GG29625@bcd.geek.com.au>

On 9/15/06, Daniel Carosone <dan@geek.com.au> wrote:
> But let's not also forget that these criticisms apply approximately
> equally to smart card deployments with readers that lack a dedicated
> pinpad and signing display.

This looks mildly interesting:
http://www.projectblackdog.com/product.html
I guess it uses an autorun file on Windows; I wonder whether most systems
allow you to effectively launch X.  The docs say it connects via ethernet
over USB, so you're effectively a thin X client.  Nice that it's open-source.

Good idea, still vulnerable to software surveillance and host OS.
No display.

This looks more interesting:

http://fingergear.com/bio_computer_on_a_stick.php

This has a display, a fingerprint reader, runs Linux, has many common apps
(office-compatible suite), IM, etc.  More relevant to the list, it has a OTP
generator, so this is effectively a security token.

See:
http://fingergear.com/faq1.php#4

Unfortunately, it looks like you can't reimage it without wiping
everything, and then you lose the OS.  I hope you can get a modifiable
OS image and install it just as one would save data to the USB drive,
but it could be impossible.

> The worst cost for these more advanced methods may be in user
> acceptance: having to type one or more things into the token, and then
> the response into the computer.  A USB connected token could improve
> on this by transporting the challenge and response, displaying the
> challenge while leaving the pinpad for authentication and approval.

I wonder if the ubiquitous fingerprint reader could replace the need
for lots of buttons; controls tend to be the most expensive and fragile
part of electronic devices.

I wonder why nobody has an open-source cell phone that does voice
recognition yet.  That would seem to be the ideal solution, wouldn't
it?  You're already carrying one around, and you have a keypad for
dialing (can be used for PIN), LCD panel for output, and if you have
a fingerprint reader, enough juice to perform some crypto, and a USB
or bluetooth connector (for storage and communication) it'd be perfect.
-- 
"On the Internet noone knows you're a dog - except Bruce Schneier."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post