Menu
▾
▴
Re: [Devil-Linux-discuss] hard tokens
|
From: Fred F. <ffr...@lo...> - 2008-10-24 14:35:32
|
I think the system sends you an sms message with a one time key Sent via BlackBerry from T-Mobile -----Original Message----- From: "Moray McConnachie" <mmc...@ox...> Date: Fri, 24 Oct 2008 15:33:26 To: <dev...@li...> Subject: Re: [Devil-Linux-discuss] hard tokens That's true, but the user would have to give someone access to their key and their password. So you are making theft pretty tricky. I don't know if it was truly a goal of this system to prevent a user at all costs giving someone else access. I mean even with a traditional RSA device a user could give someone their passcode and lend them the RSA device. At least one of Heiko's exemplars has the "physical" factor be software running on a mobile phone. I don't know if it is possible in a Java environment to lock this to a particular phone. It would be possible in a Windows Mobile environment. M. ------------------------------------- Moray McConnachie Head of IS +44 1865 261 600 Oxford Analytica http://www.oxan.com -----Original Message----- From: Bruce Smith [mailto:bw...@re...] Sent: 24 October 2008 15:22 To: dev...@li... Subject: Re: [Devil-Linux-discuss] hard tokens I must be missing something. :-) I understand the advantages of hardware keys. But the USB stick approach still sounds a lot like putting an encrypted private key on a USB stick. Something I have (usb stick), and something I know (password to decrypt key). Maybe it's because I'm not thinking how I could use this personally. I'm thinking in terms of a corporate wide solution. If I was to implement this at work, I believe I would still need a hardware key to prevent password sharing. The hardware RSA keys cannot be duplicated, and the number on the display is constantly changing. That require employees to have the key in hand when logging in. It also prevents them from making extra copies of the key and giving it out to other people. And hence puts a stop to those people who have the bad habit of sharing their password. I can't see how to accomplish the same thing with software only, on media that can be copied. - BS > There are two things. The USB key is part of a two factor login. > Something you know (username and password) and something you have (the > usb key). You could duplicate the key but you need physical access, > and you can in theory guess the value of that key but that can be as > long as you want. Username and passwords we all know how fragile they > are. The only other factor one can add is something you are > (fingerprint for example). > > Another version of something you have which makes it harder to > duplicate is a single key generator. If you somehow intercept the key > on one login (Tempest? Key Logger?) it will not help you on the next > loggin. You need to have access to the key generator. There are > weaknesses but still stronger than password protected keychain for SSH for example. > > There are variations and some weaken the system to avoid data loss > through loosing the key. > > > Fred Frigerio > Locust USA > > This electronic message transmission contains information from Locust > USA which may be confidential or privileged. The information is > intended to be for the use of the individual or entity named above. > If you are not the intended recipient, be aware that any disclosure, > copying, distribution or use of the contents of this information is > prohibited. If you have received this electronic transmission in > error, please notify us by telephone (305-889-5410) or by reply via > electronic mail immediately. > > -----Original Message----- > From: Bruce Smith [mailto:bw...@re...] > Sent: Friday, October 24, 2008 7:33 AM > To: dev...@li... > Subject: Re: [Devil-Linux-discuss] hard tokens > > I admit that I've never researched this subject, but ... > > Can't software tokens and USB keys easily be copied? > Doesn't that defeat the purpose? > > What's the difference between a USB/software key and just putting your > private key on a USB stick? > > - BS > > >> I found some infos, in case someone else is interested too. >> It's all free and seems to work with software tokens, so a hardware >> token should hopefully work too. >> >> http://www.oiepoie.nl/2008/05/02/free-strong-two-factor-authenticatio >> n -using-one-time-passwords-on-your-mobile-phone/ >> http://www.tri-dsystems.com/documentation/quickstart.html >> http://fbq.hamal.nl/index.php/archives/8#more-8 >> >> -- >> >> Regards >> Heiko Zuerker >> http://www.devil-linux.org > > ---------------------------------------------------------------------- > -- > - > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge Build the coolest Linux based applications with Moblin SDK & > win great prizes Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > ---------------------------------------------------------------------- > --- This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge Build the coolest Linux based applications with Moblin SDK & > win great prizes Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > -- - BS ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
