One Time Identification, a request for comments/testing.
Sam Hartman
hartmans at MIT.EDU
Wed Jan 31 07:02:43 EST 2007
So, the USB flash stores the 160-bit RSA encrypted user identity?
I think that this approach or something like it could be useful. I'm
not sure I'm happy with your key schedule, or some of the crypto
details. I'd prefer to think about whether RFC 3961 might provide
better options. Similarly, I'm not sure what you get out of RSA
encryption.
An alternative proposal that seems like it would do the same thing
from a security standpoint would be a way to combine a password key
with pkinit. You could store a soft certificate on a USB token.
Ultimately, though, I think that the important thing is the user
experience. I agree with you that providing stronger authentication
when someone provides a USB flash disk with some secret information is
desirable. I think the specific details of how to do this should be
worked out in the Kerberos working group of the IETF. I encourage you
to take your proposal there.
--Sam
More information about the Kerberos
mailing list