One Time Identification, a request for comments/testing.
Nicolas Williams
Nicolas.Williams at sun.com
Fri Feb 2 13:41:00 EST 2007
On Fri, Feb 02, 2007 at 10:16:28AM -0800, John Rudd wrote:
> It seems to me that if you're talking about a simple dumb USB thumb
> drive/data stick, that you're not going to be able to do anything to
> prevent an adversary from copying that data to a local host, and then
> brute-forcing the data over time. So, essentially, the only advantage
> over "just putting a non-protected keytab on a USB drive" and any other
> dumb-data-stick process is some amount of time it takes to overcome
> whatever encryption you've done on the keytab.
The advantage of softtokens over hardtokens is that they are
software-based, and when you don't have a smartcard around they can be
useful in debugging, testing, or even as a cheap alternative to
smartcards. And yes, softtokens are susceptible to offline dictionary
and brute-force attacks by any attacker that can get their hands on
them. But have you ever used passphrase-protected ssh private key
files? I bet you have. It's darn useful because there's no need to buy
a new piece of hardware -- you just have to be more careful than you
might have to be with a smartcard.
There's not much new here. This thread is starting to repeat itself.
The only new questions here are:
- should MIT krb5 have softtoken support?
(And note that if it has PKCS#11 support for PKINIT and/or PA-ENC-
TIMESTAMP long-term symmetric keys then it will have softtoken
support wherever PKCS#11 softtoken providers are available.)
- should there be a standard for softtoken formats?
Since there are at least two PKCS#11 softtoken providers this is an
interesting question. Where should such thing be standardized, if at
all? Perhaps informally would be best.
> I think a more interesting approach would be a non- "dumb data stick"
> approach. It might start to sound like a variation of a smartcard, but
> why not think about a new USB device that's perhaps about the size of a
> USB data stick. It might present itself to the host computer as 2 devices:
This stuff exists. Google it. And it is just a smartcard. Using
bimetrics instead of PINs is interesting and a subject for another
thread, probably on a different forum.
Nico
--
More information about the Kerberos
mailing list