[Clips] The summer of PKI love
Stefan Kelm
stefan.kelm at secorvo.de
Fri Aug 12 04:29:46 EDT 2005
> On the token front, we're still unfortunately waiting for the ideal key
> storage device. USB tokens, smart cards, and cell phones are all
> candidates, and the pros and cons of these options form a complex matrix.
> Universities tend to prefer the USB approach because the tokens work with
> PCs and Macs that can't easily be outfitted with card readers.
On that subject I highly recommend a report very recently
published by DFN-CERT and SurfNET.
http://www.dfn-pca.de/bibliothek/reports/pki-token/ :
Abstract
The usage of X.509 certificates and related PKI techniques is getting
more and more common. It enables users to sign and encrypt messages, to
use secure communication channels for internet communication and to
authenticate themselves to all kind of network services. The overall
level of security for the usage of public key cryptography depends
heavily on that of the private key, which is usually installed on the
local host of the user. This poses not only a security risk but it does
also restrict the increasing user demand for mobility. A solution to
these problems can be smart cards and USB-tokens, which store private
keys in such a way that they cannot be retrieved from these. Instead data
can be send to these devices and is being processed, decrypted or signed,
by the device itself and only then the results are provided by these
devices for further processing.
These devices are very promising for the widespread usage of PKI. In a PC-
dominated world the USB-tokens have the advantage, that no additional
reader is necessary to use them even on foreign hosts. Both types of
devices, smart cards and USB-tokens, still need support by the underlying
operating systems and by the used applications. This makes it very
difficult to decide which token may be successfully used in any given
environment and will meet the demands of the applications and indented
usage. This report tries to ease the decision process when selecting a
token for a particular environment and platform.
For this purpose a number of the available tokens were tested together
with the most common applications on the most commonly used operating
systems. A reproduceable test framework was established to ensure the
comparability and re-usability of these tests.
Overall it is safe to say in a homogenous environment with commonly used
applications the tested tokens perform well. Nevertheless rolling out
tokens on a large scale is still not something to be undertaken on a
friday afternoon.
[snip]
Cheers,
Stefan.
-------------------------------------------------------
Stefan Kelm
Security Consultant
Secorvo Security Consulting GmbH
Ettlinger Straße 12-14, D-76137 Karlsruhe
Tel. +49 721 255171-304, Fax +49 721 255171-100
stefan.kelm at secorvo.de, http://www.secorvo.de/
-------------------------------------------------------
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list