[Clips] The summer of PKI love

Stefan Kelm stefan.kelm at secorvo.de
Fri Aug 12 04:29:46 EDT 2005 

>  On the token front, we're still unfortunately waiting for the ideal key
>  storage device. USB tokens, smart cards, and cell  phones are all
>  candidates, and the pros and cons of these options form a complex matrix.
>  Universities tend to prefer the USB  approach because the tokens work with
>  PCs and Macs that can't easily be outfitted with card readers.

On that subject I highly recommend a report very recently
published by DFN-CERT and SurfNET.

  http://www.dfn-pca.de/bibliothek/reports/pki-token/ :

  Abstract

The usage of X.509 certificates and related PKI techniques is getting   
more and more common. It enables users to sign and encrypt messages, to   
use secure communication channels for internet communication and to   
authenticate themselves to all kind of network services. The overall   
level of security for the usage of public key cryptography depends   
heavily on that of the private key, which is usually installed on the   
local host of the user. This poses not only a security risk but it does 
also restrict the increasing user demand for mobility. A solution to 
these problems can be smart cards and USB-tokens, which store private 
keys in such a way that they cannot be retrieved from these. Instead data 
can be send to these devices and is being processed, decrypted or signed, 
by the device itself and only then the results are provided by these 
devices for further processing.  

These devices are very promising for the widespread usage of PKI. In a PC-
dominated world the USB-tokens have the advantage, that no additional 
reader is necessary to use them even on foreign hosts. Both types of 
devices, smart cards and USB-tokens, still need support by the underlying 
operating systems and by the used applications. This makes it very 
difficult to decide which token may be successfully used in any given 
environment and will meet the demands of the applications and indented 
usage. This report tries to ease the decision process when selecting a 
token for a particular environment and platform.  

For this purpose a number of the available tokens were tested together 
with the most common applications on the most commonly used operating 
systems. A reproduceable test framework was established to ensure the 
comparability and re-usability of these tests.  

Overall it is safe to say in a homogenous environment with commonly used 
applications the tested tokens perform well. Nevertheless rolling out 
tokens on a large scale is still not something to be undertaken on a  
friday afternoon.

[snip]

Cheers,

	Stefan.
-------------------------------------------------------
Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Straße 12-14, D-76137 Karlsruhe

Tel. +49 721 255171-304, Fax +49 721 255171-100
stefan.kelm at secorvo.de, http://www.secorvo.de/
-------------------------------------------------------
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list