RE: SecureID vs Certificates

[Nigel Willson <NWillson () tbg com>]

Smart card technology is also cool because it can be used as a
company's ID badge and when physically pulled from the reader,
to go to the bathroom, it can lock the user's workstation.

They have been around the European market for the longest time.

Issues preventing adoption in the U.S. have been a lack of
support in ATM's (<10%) and lack of incorporation in a corporate
computer, requiring the addition of a serial reader, keyboard, 
PCMCIA or, USB device. So cost has prohibited. There are also
issues on using multiple devices simultaneously etc.

There are other options: like proximity cards, biometrics and,
USB tokens but I think that the smart card will prevail.

Lack of adoption has also impacted PKI in that, as Marcus states,
a secure physical token is necessary for true 2-factor auth. and
portability. Entrust offered such solutions as an encrypted file
ported on a floppy disk but . . . sheesh!

Nige. [a 10-year smart card envagelist]

---
  Nigel P. Willson       Office: 661.297.3209
   iSecurity Consultant   Mobile: 661.645.2633
    The Burton Group       Fax:    661.430.0007
     http://www.tbgintro.com


> -----Original Message-----
> From: Marcus J. Ranum [mailto:mjr () nfr com]
> Sent: Thursday, February 15, 2001 12:47 PM
> To: Darren Reed; crist.clark () globalstar com
> Cc: capegeo () opengroup org; firewall-wizards () nfr net;
> miedaner () twcny rr com
> Subject: Re: [fw-wiz] SecureID vs Certificates
>
>
> Darren Reed wrote:
> > This talk has got me thinking...has anyone found a way to combine
> > OTP's with digital certificates?
>
> This is kind of what a smart card is all about. Do the signature on
> the card, so the secret never leaves it, etc. Amazingly cool 
> technology
> but it's just never caught on particularly well here. It's 
> also tough in
> security because when you say "smart card" people often hear
> "SecurID" - Security Dynamics' marketing folks did a good job of
> confusing the 2 technologies. A real smart card's a credit-card sized
> piece of plastic with a microprocessor embedded in it. There's a
> set of brass contacts that allow the microprocessor to draw power
> when it's plugged into an interface, and it can "talk" to the outside
> world through another set of contacts. Some of the fancier cards
> can run a little operating system inside, that acts as a "firewall"
> between a data area (organized like a disk) and the outside world,
> and even supports modular exponentiation in silicon. So all the
> capabilities necessary to have a really great 2-factor system are
> present, with the added advantage that you can have the secret
> part of an RSA key which never leaves the embedded microprocessor
> (barring extreme methods such as sanding off the top of the microchip
> and hitting it with an electron microscope, etc)
>
> mjr.
> ---
> Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
> Work:                           http://www.nfr.com
> Personal:                      http://www.ranum.com
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards