Menu
▾
▴
Re: [Devil-Linux-discuss] hard tokens
|
From: Bruce S. <bw...@re...> - 2008-10-24 15:34:50
|
That sounds good ... except you can't login places without cell phone coverage (like my house). :-) - BS > I think the system sends you an sms message with a one time key > Sent via BlackBerry from T-Mobile > > -----Original Message----- > From: "Moray McConnachie" <mmc...@ox...> > > Date: Fri, 24 Oct 2008 15:33:26 > To: <dev...@li...> > Subject: Re: [Devil-Linux-discuss] hard tokens > > > That's true, but the user would have to give someone access to their key > and their password. So you are making theft pretty tricky. I don't know > if it was truly a goal of this system to prevent a user at all costs > giving someone else access. I mean even with a traditional RSA device a > user could give someone their passcode and lend them the RSA device. > > At least one of Heiko's exemplars has the "physical" factor be software > running on a mobile phone. I don't know if it is possible in a Java > environment to lock this to a particular phone. It would be possible in > a Windows Mobile environment. > > M. > ------------------------------------- > Moray McConnachie > Head of IS +44 1865 261 600 > Oxford Analytica http://www.oxan.com > > -----Original Message----- > From: Bruce Smith [mailto:bw...@re...] > Sent: 24 October 2008 15:22 > To: dev...@li... > Subject: Re: [Devil-Linux-discuss] hard tokens > > I must be missing something. :-) > > I understand the advantages of hardware keys. > > But the USB stick approach still sounds a lot like putting an encrypted > private key on a USB stick. > > Something I have (usb stick), and something I know (password to decrypt > key). > > Maybe it's because I'm not thinking how I could use this personally. > I'm thinking in terms of a corporate wide solution. > > If I was to implement this at work, I believe I would still need a > hardware key to prevent password sharing. The hardware RSA keys cannot > be duplicated, and the number on the display is constantly changing. > That require employees to have the key in hand when logging in. It also > prevents them from making extra copies of the key and giving it out to > other people. And hence puts a stop to those people who have the bad > habit of sharing their password. > > I can't see how to accomplish the same thing with software only, on > media that can be copied. > > - BS > > >> There are two things. The USB key is part of a two factor login. >> Something you know (username and password) and something you have (the > >> usb key). You could duplicate the key but you need physical access, >> and you can in theory guess the value of that key but that can be as >> long as you want. Username and passwords we all know how fragile they >> are. The only other factor one can add is something you are >> (fingerprint for example). >> >> Another version of something you have which makes it harder to >> duplicate is a single key generator. If you somehow intercept the key >> on one login (Tempest? Key Logger?) it will not help you on the next >> loggin. You need to have access to the key generator. There are >> weaknesses but still stronger than password protected keychain for SSH > for example. >> >> There are variations and some weaken the system to avoid data loss >> through loosing the key. >> >> >> Fred Frigerio >> Locust USA >> >> This electronic message transmission contains information from Locust >> USA which may be confidential or privileged. The information is >> intended to be for the use of the individual or entity named above. >> If you are not the intended recipient, be aware that any disclosure, >> copying, distribution or use of the contents of this information is >> prohibited. If you have received this electronic transmission in >> error, please notify us by telephone (305-889-5410) or by reply via >> electronic mail immediately. >> >> -----Original Message----- >> From: Bruce Smith [mailto:bw...@re...] >> Sent: Friday, October 24, 2008 7:33 AM >> To: dev...@li... >> Subject: Re: [Devil-Linux-discuss] hard tokens >> >> I admit that I've never researched this subject, but ... >> >> Can't software tokens and USB keys easily be copied? >> Doesn't that defeat the purpose? >> >> What's the difference between a USB/software key and just putting your > >> private key on a USB stick? >> >> - BS >> >> >>> I found some infos, in case someone else is interested too. >>> It's all free and seems to work with software tokens, so a hardware >>> token should hopefully work too. >>> >>> http://www.oiepoie.nl/2008/05/02/free-strong-two-factor-authenticatio >>> n -using-one-time-passwords-on-your-mobile-phone/ >>> http://www.tri-dsystems.com/documentation/quickstart.html >>> http://fbq.hamal.nl/index.php/archives/8#more-8 >>> >>> -- >>> >>> Regards >>> Heiko Zuerker >>> http://www.devil-linux.org >> >> ---------------------------------------------------------------------- >> -- >> - >> This SF.Net email is sponsored by the Moblin Your Move Developer's >> challenge Build the coolest Linux based applications with Moblin SDK & > >> win great prizes Grand prize is a trip for two to an Open Source event > >> anywhere in the world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> >> ---------------------------------------------------------------------- >> --- This SF.Net email is sponsored by the Moblin Your Move Developer's > >> challenge Build the coolest Linux based applications with Moblin SDK & > >> win great prizes Grand prize is a trip for two to an Open Source event > >> anywhere in the world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Devil-linux-discuss mailing list >> Dev...@li... >> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss >> > > > > -- > - BS > > ------------------------------------------------------------------------ > - > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge Build the coolest Linux based applications with Moblin SDK & > win great prizes Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > -- - BS |
