Security Basics mailing list archives

RE: SmartCards

From: "Nick Owen" <nowen () wikidsystems com>
Date: Tue, 12 Aug 2003 16:39:18 -0400

Smartcards should be fairly safe when combined with a PIN, but they are not
without risks.  In particular, their lack of user interface and user control
puts you at the mercy of the reader and there could be compromised readers.

You should consider the cost and convenience of the smartcard readers,
especially if you're talking about mobile users - will they carry a reader
with them and will they take good care of it?  With any hardware solution,
maintenance and support are often the biggest cost.  There is also a cost
for distributing the cards.  If the cards have keys pre-installed, you will
have to take special care.  It is always best to have the private key
generated on the client device.

As far as Linux pams, that should be trivial to do, especially via Java.  I
don't know much about the IBM security chip.

Nick

--
Nick Owen
CEO
WiKID Systems, Inc.
404-879-5227
nowen at wikidsystems.com
http://www.wikidsystems.com
The End of Passwords
--

-----Original Message-----
From: Sebastian Schneider [mailto:ses () straightliners de]
Sent: Tuesday, August 12, 2003 2:22 PM
To: Scott Schwendinger; security-basics () securityfocus com
Subject: Re: SmartCards

This is really interesting. How does it work? I mean, are there
any existing
modules for PAM under Linux?
Are SmartCards that safe, when just protected by PIN codes?

What's about the security chip, which IBM puts into there
Laptops/Workstations?

Sebastian

On Tuesday 12 August 2003 06:36, Scott Schwendinger wrote:

Sebastian,

Smartcards can contain many authentication id's.  PKI
client certificates can be stored on the smartcard.
When the user access the system/login, a request for
proof is sent.  The user must provide the PKI
certificate.  With the use a smartcard reader
(external or internal) the PKI certificate is read and
the user is authenticated.

Scott Schwendinger

--- Sebastian Schneider <ses () straightliners de> wrote:

Hello,

are there any means to authenticate users using
SmartCard technologies?
It would be helpful, when primary configuration data
could be saved to that
card to support mobile users.

Thanks,
Sebastian
--


straightLiners IT Consulting & Services
Sebastian Schneider
Metzer Str. 12
13595 Berlin
Germany

Phone: +49-30-3510-6168
Fax: +49-30-3510-6169
Mail: ses () straightliners de


Diese E-Mail enthält vertrauliche und/oder rechtlich
geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese
E-Mail irrtümlich
erhalten haben,
informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht
gestattet.

This e-mail may contain confidential and/or
privileged information.
If you are not the intended recipient (or have
received this e-mail in error)
please notify the sender immediately and destroy
this e-mail. Any unauthorized
copying,
disclosure or distribution of the material in this
e-mail is strictly
forbidden.

------------------------------------------------------------------
---------

------------------------------------------------------------------
---------

-



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

------------------------------------------------------------------
---------

------------------------------------------------------------------
---------


--


straightLiners IT Consulting & Services
Sebastian Schneider
Metzer Str. 12
13595 Berlin
Germany

Phone: +49-30-3510-6168
Fax: +49-30-3510-6169
Mail: ses () straightliners de


Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
Mail ist nicht
gestattet.

This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this
e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorized
copying,
disclosure or distribution of the material in this e-mail is strictly
forbidden.

------------------------------------------------------------------
---------
------------------------------------------------------------------
----------




---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: sftp vs ftp with ssl, (continued)
- Re: sftp vs ftp with ssl Glenn English (Aug 06)
  - RE: sftp vs ftp with ssl Paul Farag (Aug 07)
  - Re: sftp vs ftp with ssl Bryan S. Sampsel (Aug 07)
    - RE: sftp vs ftp with ssl Skibi de LaPies (Aug 07)
    - RE: sftp vs ftp with ssl Glenn English (Aug 08)
    - RE: sftp vs ftp with ssl Skibi de LaPies (Aug 08)
    - RE: sftp vs ftp with ssl Glenn English (Aug 08)
    - SmartCards Sebastian Schneider (Aug 11)
    - Re: SmartCards Scott Schwendinger (Aug 12)
    - Re: SmartCards Sebastian Schneider (Aug 12)
    - RE: SmartCards Nick Owen (Aug 12)
    - Re: sftp vs ftp with ssl Ido Breger (Aug 08)
    - Re: sftp vs ftp with ssl Andreas Happe (Aug 08)
- RE: sftp vs ftp with ssl Nauwelaerts, Nick (Aug 18)