Firewall Wizards mailing list archives
RE: SecureID vs Certificates
From: Nigel Willson <NWillson () tbg com>
Date: Thu, 15 Feb 2001 14:54:22 -0700
Smart card technology is also cool because it can be used as a company's ID badge and when physically pulled from the reader, to go to the bathroom, it can lock the user's workstation. They have been around the European market for the longest time. Issues preventing adoption in the U.S. have been a lack of support in ATM's (<10%) and lack of incorporation in a corporate computer, requiring the addition of a serial reader, keyboard, PCMCIA or, USB device. So cost has prohibited. There are also issues on using multiple devices simultaneously etc. There are other options: like proximity cards, biometrics and, USB tokens but I think that the smart card will prevail. Lack of adoption has also impacted PKI in that, as Marcus states, a secure physical token is necessary for true 2-factor auth. and portability. Entrust offered such solutions as an encrypted file ported on a floppy disk but . . . sheesh! Nige. [a 10-year smart card envagelist] --- Nigel P. Willson Office: 661.297.3209 iSecurity Consultant Mobile: 661.645.2633 The Burton Group Fax: 661.430.0007 http://www.tbgintro.com
-----Original Message----- From: Marcus J. Ranum [mailto:mjr () nfr com] Sent: Thursday, February 15, 2001 12:47 PM To: Darren Reed; crist.clark () globalstar com Cc: capegeo () opengroup org; firewall-wizards () nfr net; miedaner () twcny rr com Subject: Re: [fw-wiz] SecureID vs Certificates Darren Reed wrote:This talk has got me thinking...has anyone found a way to combine OTP's with digital certificates?This is kind of what a smart card is all about. Do the signature on the card, so the secret never leaves it, etc. Amazingly cool technology but it's just never caught on particularly well here. It's also tough in security because when you say "smart card" people often hear "SecurID" - Security Dynamics' marketing folks did a good job of confusing the 2 technologies. A real smart card's a credit-card sized piece of plastic with a microprocessor embedded in it. There's a set of brass contacts that allow the microprocessor to draw power when it's plugged into an interface, and it can "talk" to the outside world through another set of contacts. Some of the fancier cards can run a little operating system inside, that acts as a "firewall" between a data area (organized like a disk) and the outside world, and even supports modular exponentiation in silicon. So all the capabilities necessary to have a really great 2-factor system are present, with the added advantage that you can have the secret part of an RSA key which never leaves the embedded microprocessor (barring extreme methods such as sanding off the top of the microchip and hitting it with an electron microscope, etc) mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SecureID vs Certificates, (continued)
- Re: SecureID vs Certificates Volker Tanger (Feb 13)
- RE: SecureID vs Certificates Bill Jaeger (Feb 15)
- Re: SecureID vs Certificates Volker Tanger (Feb 15)
- RE: SecureID vs Certificates Bill Jaeger (Feb 15)
- Re: SecureID vs Certificates Marcus J. Ranum (Feb 14)
- Re: SecureID vs Certificates Peter Lukas (Feb 15)
- Re: SecureID vs Certificates Jeffery . Gieser (Feb 13)
- Re: SecureID vs Certificates Gregory Hicks (Feb 13)
- RE: SecureID vs Certificates Ben Nagy (Feb 15)
- RE: SecureID vs Certificates Frank Knobbe (Feb 15)
- RE: SecureID vs Certificates Wigg, Guy G (Feb 15)
- RE: SecureID vs Certificates Nigel Willson (Feb 16)
- Re: SecureID vs Certificates Volker Tanger (Feb 13)