WebApp Sec mailing list archives
Re: Smart card proposal
From: Hugo Fortier <hugo.fortier () gmail com>
Date: Mon, 24 Jan 2005 20:29:46 -0500
The USB Key token would eliminate the need for the smartcard reader and the pin can be typed on the keyboard since It does not really matter if the keystrokes are copied since with two-factor authentication you need the combination of the physical device and the pin# ( two factor is - something you have (USB key) with something you know (pin#).
USB Key token and USB flash drive are 2 differents thing and I was replying to someone talking of USB flash drive... It does mather if the keystrokes are logged. If keystrokes are copied, the attacker (who installed the keyloger) could likely be on the computer at the same time that the iKey (Or smartcard ) is inserted. That mean that he could triger the USB Key or smart card at will while it's hooked to the computer... In that way RSA Token are way more secure. But as I alwready said, RSA Token would probably not be the solution for a very huge deployement, and they do have other issue... One concern I have with iKey, does it supported Linux, OS X, and *BSD?
The RSA random password generator won't work for the reason below. The RSA secure ID are more expense than an USB token like Rainbow iKey and need a battery replacement (USB token does not). Plus RSA is a random password generator and is not really two factor authentication and the deployment on
How is RSA not 2 factor? It's something you know (PIN) and something you own (RSA Calculator or Key holder). Seem 2 factor to me... Having only the PIN or only the Calculator would not be good enought to get in...
a RSA Radius server is such that all remote users need to be on the system since the sever cannot allow some to have the RSA token and others in the directory to have user name and passwords.
This is't really true... You can alwais have more than 1 PAM(Plugable Authentication Module) and supporting different authentication system... Interesting part of the RSA solution is that since it's not hooked up to the computer, if the computer is compromised the attacker cannot ask the RSA device to give it token. In the case with a attacker controling computer with a iKey, once he capture the PIN, he could reuse the PIN to ask for more token...
Current thread:
- RE: Smart card proposal, (continued)
- RE: Smart card proposal Lyal Collins (Jan 24)
- RE: Smart card proposal Richard M. Smith (Jan 24)
- Re: Smart card proposal Hugo Fortier (Jan 24)
- RE: Smart card proposal Michael Silk (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 24)
- Re: Smart card proposal Rishi Pande (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 24)
- Re: Smart card proposal Hugo Fortier (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 27)
- Re: Smart card proposal Rogan Dawes (Jan 24)
- Re: Smart card proposal Hugo Fortier (Jan 24)
- RE: Smart card proposal Richard M. Smith (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 27)
- RE: Smart card proposal Richard M. Smith (Jan 27)
- Re: Smart card proposal DE Gustafson (Jan 27)
- Re: Smart card proposal Koh Gim Leng (Jan 28)
- RE: Smart card proposal Lyal Collins (Jan 28)