WebApp Sec mailing list archives
Re: Smart card proposal
From: Kevin Kadow <kkadow () gmail com>
Date: 16 Feb 2005 06:20:38 -0000
In-Reply-To: <4b74cf63050124172961510dd4 () mail gmail com>
The USB Key token would eliminate the need for the smartcard reader and the pin can be typed on the keyboard
. . .
If keystrokes are copied, the attacker (who installed the keyloger) could likely be on the computer at the same time that the iKey (Or smartcard ) is inserted. That mean that he could triger the USB Key or smart card at will while it's hooked to the computer... In that way RSA Token are way more secure.
Funny that you mention this -- RSA just yesterday announced two new hardware tokens, one of which has a display but is USB-enabled, and allows for the current tokencode to be copied out via USB. So now RSA has all of the disadvantages of a USB key.
But as I already said, RSA Token would probably not be the solution for a very huge deployement, and they do have other issue
Care to elaborate (on list or in private)? Putting the per-token price aside, I'm not unhappy with RSA, and I'd guess that AOL can say the same. The web agent works remarkably well, assuming you are running a supported HTTPd and OS.
One concern I have with iKey, does it supported Linux, OS X, and *BSD? The RSA random password generator won't work for the reason below.
I do not trust the RSA "soft token" (generator), on any OS. The only proven attack against SecurID was against the soft token. But if you do have a hardware token, it is OS-agnostic, and with some effort you can even use SecurID to authenticate services on just about any OS. With the new open authentication standards coming down the pipe (OATH, OPTS, etc), things will only get better.
The RSA secure ID are more expense than an USB token like Rainbow iKey and need a battery replacement (USB token does not).
Worse than that, RSA tokens are garbage when the battery dies, you can drop them in the trash or send them back to RSA to be shredded and recycled.
Plus RSA is a random password generator and is not really two factor authentication and the deployment onHow is RSA not 2 factor? It's something you know (PIN) and something you own (RSA Calculator or Key holder). Seem 2 factor to me... Having only the PIN or only the Calculator would not be good enought to get in...
. . .
Interesting part of the RSA solution is that since it's not hooked up to the computer, if the computer is compromised the attacker cannot ask the RSA device to give it token. In the case with a attacker controling computer with a iKey, once he capture the PIN, he could reuse the PIN to ask for more token...
Of course, with this new USB "fob" that RSA will be selling later this year, it appears their usb-enabled token will gain the same vulnerabilities their competition has had all along. Of course, as a (mostly) happy customer of RSA and moderator of the unofficial unaffiliated SecurID users group, I am a bit biased. Kevin Kadow
Current thread:
- Re: Smart card proposal, (continued)
- Re: Smart card proposal DE Gustafson (Jan 27)
- Re: Smart card proposal Koh Gim Leng (Jan 28)
- RE: Smart card proposal Lyal Collins (Jan 28)
- RE: Smart card proposal maburns (Jan 27)
- RE: Smart card proposal maburns (Jan 27)
- Re: Smart card proposal Miguel Ruiz Velasco Sobrino (Feb 02)
- Security Webcast Series JoeStagner (Feb 02)
- RE: Smart card proposal Glenn_Everhart (Feb 02)
- RE: Smart card proposal Lyal Collins (Feb 03)
- Re: Smart card proposal Rogan Dawes (Feb 03)
- Re: Smart card proposal Kevin Kadow (Feb 16)