Re: Smart card proposal

[Kevin Kadow <kkadow () gmail com>]

In-Reply-To: <4b74cf63050124172961510dd4 () mail gmail com>

> > The USB Key token would eliminate the need for the 
> > smartcard reader and the pin can be typed on the keyboard
. . .
> If keystrokes are copied, the attacker (who installed the keyloger)
> could likely be on the computer at the same time that the iKey (Or
> smartcard ) is inserted. That mean that he could triger the USB Key or
> smart card at will while it's hooked to the computer...
>
> In that way RSA Token are way more secure.

Funny that you mention this -- RSA just yesterday announced two new
hardware tokens, one of which has a display but is USB-enabled, and
allows for the current tokencode to be copied out via USB.

So now RSA has all of the disadvantages of a USB key.

> But as I already said, RSA Token would probably not be the
> solution for a very huge deployement, and they do have other issue

Care to elaborate (on list or in private)?  Putting the per-token
price aside, I'm not unhappy with RSA, and I'd guess that AOL can
say the same.  The web agent works remarkably well, assuming you
are running a supported HTTPd and OS.


> One concern I have with iKey, does it supported Linux,
> OS X, and *BSD?  The RSA random password generator won't work
> for the reason below.

I do not trust the RSA "soft token" (generator), on any OS.
The only proven attack against SecurID was against the soft token.
But if you do have a hardware token, it is OS-agnostic, and with
some effort you can even use SecurID to authenticate services on
just about any OS.  With the new open authentication standards
coming down the pipe (OATH, OPTS, etc), things will only get better.


> > The RSA secure ID are more expense than an USB token like
> > Rainbow iKey and need a battery replacement (USB token does not).

Worse than that, RSA tokens are garbage when the battery dies, you
can drop them in the trash or send them back to RSA to be shredded
and recycled.

> > Plus RSA is a random password generator and is not really
> > two factor authentication and the deployment on
>
> How is RSA not 2 factor? It's something you know (PIN) and
> something you own (RSA Calculator or Key holder). 
> Seem 2 factor to me... Having only the PIN or only the
> Calculator would not be good enought to get in...
. . .

> Interesting part of the RSA solution is that since it's not hooked up
> to the computer, if the computer is compromised the attacker cannot
> ask the RSA device to give it token.
>
> In the case with a attacker controling computer with a iKey, once he
> capture the PIN, he could reuse the PIN to ask for more token...

Of course, with this new USB "fob" that RSA will be selling
later this year, it appears their usb-enabled token will gain
the same vulnerabilities their competition has had all along.


Of course, as a (mostly) happy customer of RSA and moderator of the
unofficial unaffiliated SecurID users group, I am a bit biased.

Kevin Kadow