RSA SecurID SID800 Token vulnerable by design
Travis H.
solinym at gmail.com
Sun Sep 17 00:40:55 EDT 2006
On 9/15/06, Daniel Carosone <dan at geek.com.au> wrote:
> But let's not also forget that these criticisms apply approximately
> equally to smart card deployments with readers that lack a dedicated
> pinpad and signing display.
This looks mildly interesting:
http://www.projectblackdog.com/product.html
I guess it uses an autorun file on Windows; I wonder whether most systems
allow you to effectively launch X. The docs say it connects via ethernet
over USB, so you're effectively a thin X client. Nice that it's open-source.
Good idea, still vulnerable to software surveillance and host OS.
No display.
This looks more interesting:
http://fingergear.com/bio_computer_on_a_stick.php
This has a display, a fingerprint reader, runs Linux, has many common apps
(office-compatible suite), IM, etc. More relevant to the list, it has a OTP
generator, so this is effectively a security token.
See:
http://fingergear.com/faq1.php#4
Unfortunately, it looks like you can't reimage it without wiping
everything, and then you lose the OS. I hope you can get a modifiable
OS image and install it just as one would save data to the USB drive,
but it could be impossible.
> The worst cost for these more advanced methods may be in user
> acceptance: having to type one or more things into the token, and then
> the response into the computer. A USB connected token could improve
> on this by transporting the challenge and response, displaying the
> challenge while leaving the pinpad for authentication and approval.
I wonder if the ubiquitous fingerprint reader could replace the need
for lots of buttons; controls tend to be the most expensive and fragile
part of electronic devices.
I wonder why nobody has an open-source cell phone that does voice
recognition yet. That would seem to be the ideal solution, wouldn't
it? You're already carrying one around, and you have a keypad for
dialing (can be used for PIN), LCD panel for output, and if you have
a fingerprint reader, enough juice to perform some crypto, and a USB
or bluetooth connector (for storage and communication) it'd be perfect.
--
"On the Internet noone knows you're a dog - except Bruce Schneier."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list