Re: SecureID vs Certificates

["Marcus J. Ranum" <mjr () nfr com>]

Darren Reed wrote:
> This talk has got me thinking...has anyone found a way to combine
> OTP's with digital certificates?

This is kind of what a smart card is all about. Do the signature on
the card, so the secret never leaves it, etc. Amazingly cool technology
but it's just never caught on particularly well here. It's also tough in
security because when you say "smart card" people often hear
"SecurID" - Security Dynamics' marketing folks did a good job of
confusing the 2 technologies. A real smart card's a credit-card sized
piece of plastic with a microprocessor embedded in it. There's a
set of brass contacts that allow the microprocessor to draw power
when it's plugged into an interface, and it can "talk" to the outside
world through another set of contacts. Some of the fancier cards
can run a little operating system inside, that acts as a "firewall"
between a data area (organized like a disk) and the outside world,
and even supports modular exponentiation in silicon. So all the
capabilities necessary to have a really great 2-factor system are
present, with the added advantage that you can have the secret
part of an RSA key which never leaves the embedded microprocessor
(barring extreme methods such as sanding off the top of the microchip
and hitting it with an electron microscope, etc)

mjr.
---
Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
Work:                           http://www.nfr.com
Personal:                      http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards