One Time Identification, a request for comments/testing.

Nicolas Williams Nicolas.Williams at
Fri Feb 2 13:41:00 EST 2007

On Fri, Feb 02, 2007 at 10:16:28AM -0800, John Rudd wrote:
> It seems to me that if you're talking about a simple dumb USB thumb 
> drive/data stick, that you're not going to be able to do anything to 
> prevent an adversary from copying that data to a local host, and then 
> brute-forcing the data over time.  So, essentially, the only advantage 
> over "just putting a non-protected keytab on a USB drive" and any other 
> dumb-data-stick process is some amount of time it takes to overcome 
> whatever encryption you've done on the keytab.

The advantage of softtokens over hardtokens is that they are
software-based, and when you don't have a smartcard around they can be
useful in debugging, testing, or even as a cheap alternative to
smartcards.  And yes, softtokens are susceptible to offline dictionary
and brute-force attacks by any attacker that can get their hands on
them.  But have you ever used passphrase-protected ssh private key
files?  I bet you have.  It's darn useful because there's no need to buy
a new piece of hardware -- you just have to be more careful than you
might have to be with a smartcard.

There's not much new here.  This thread is starting to repeat itself.

The only new questions here are:

 - should MIT krb5 have softtoken support?

   (And note that if it has PKCS#11 support for PKINIT and/or PA-ENC-
   TIMESTAMP long-term symmetric keys then it will have softtoken
   support wherever PKCS#11 softtoken providers are available.)

 - should there be a standard for softtoken formats?

   Since there are at least two PKCS#11 softtoken providers this is an
   interesting question.  Where should such thing be standardized, if at
   all?  Perhaps informally would be best.

> I think a more interesting approach would be a non- "dumb data stick" 
> approach.  It might start to sound like a variation of a smartcard, but 
> why not think about a new USB device that's perhaps about the size of a 
> USB data stick.  It might present itself to the host computer as 2 devices:

This stuff exists.  Google it.  And it is just a smartcard.  Using
bimetrics instead of PINs is interesting and a subject for another
thread, probably on a different forum.


More information about the krbdev mailing list