Domain: cryptocard.com
Stories and comments across the archive that link to cryptocard.com.
Comments · 11
-
Passwords be gone!
Yes, and for those that are interested in propagating good security measures in their engineering feats should take a look a 2FA (2 factor authentication) architecture as a solution. There are many companies that offer this but one of the easiest to get going with from personal experience is the folks at http://www.cryptocard.com/ . Beats using passwords and is easy to migrate from RSA key auth to this.
-
Re:One more damn thing to carry around
Is some moron actually thinks to provide a trusted and hosted service for this it will be much better, hell the banks could even do it. so anyone could tie their (limited by client web application for a modest fee) ap into it.
something simple like
1. check client web application has authorisation
2. check query times number of false results per src / token id to avoid attacks
client web app
1. normal login password (client ap)
2. token login (hoseted ap)
queries
https... yada yada blah.cgi?tokenid=1234&pass=123456
output
result = true or false
client web ap reads results grants entry or not
here is a link to get u started: http://www.cryptocard.com/
(one of the few running on linux end to end)
now someone with some money go and do this please...have a nice day -
Cryptocard
There's a company called Cryptocard that produces a product similar to what you're looking for:
http://www.cryptocard.com/index.cfm?PID=464&PageNa me=UB-1%20USB%20Token
They support Windows, Mac OS X, and Linux.
http://www.cryptocard.com/index.cfm?PID=376&PageNa me=CRYPTO-Server
--Paul -
Cryptocard
There's a company called Cryptocard that produces a product similar to what you're looking for:
http://www.cryptocard.com/index.cfm?PID=464&PageNa me=UB-1%20USB%20Token
They support Windows, Mac OS X, and Linux.
http://www.cryptocard.com/index.cfm?PID=376&PageNa me=CRYPTO-Server
--Paul -
Re:Human error
hope ur recomending replacing static passwords with http://www.cryptocard.com/ (shameless plug from a happy customer)
-
CryptoCard
We use these thingies where I work to log on to just about everything. I see a time coming where these (or similar products) will be used by all manner of financial and other institutions.
-
Re:Only Useful in Corporate Environments
You only think this because, (a) you really do not understand authentication, and (b) you hane not looked outside the very propreitary PKI world
Yes. Thank you for talking down to me, and then proceeding to talk about something else entirely. I was talking about hardware tokens like this one or the CryptoCard RB-1 seen here.
I'm quite aware of how certificates work. I'm also quite aware that a private key, whether it's an X509 cert or an SSH key, is quite vulnerable if it's sitting on a user's PC. This is why the hardware tokens are attractive, because it is effectively impossible (i.e., computationally infeasable) for a remote attacker to copy. That's why I was pointing out that hardware tokens seem to be private key based, and asking if anybody knew of a way to perform a public-key based authentication using a typeable number of characters. The private-key nature of the hardware tokens make them unattractive for use in authenticating to multiple domains.
Yes, I'm aware of USB dongles and smart cards that perform public-key based authentication. But they also require drivers/software on the client which hardware tokens do not. They are also vulnerable to misuse as long as the card/dongle is connected to the users PC, even if the private key itself can't be copied. -
Timing could add another layerSome posters have suggested sniffing as a way to get through a port knocking defense. That is true, but what if the "knock" pattern changed in some pseudo-random way and the same knock could never be used twice? Think s/key. Then even sniffers wouldn't know what to do. Sometime when I have time I'm also going to write a PAM module for Cryptocard authentication for SSH to provide two-factor authentication, too.
I think this whole idea is a cool technique. It isn't the same as security through obscurity because the security still relies in a key. It is more like "network protocol steganography" actually.
---------
Create a WAP server now -
sol'n: one-time password tokens
The simpliest way to lock down your system is to give the users one-time password tokens like SecurID or Cryptocard.
-
Use authentication tokens
The best solution to the password problem are authentication tokens like Cryptocard or SecurID.
jon.sable@sympatico.ca -
Tamperresistant cryptographic calculator/token..You get a challenge. You type in the numbers into a nice little 'calculator' (or even, hold it to the screen where a Java applet is blinking rapidly -- so the calculator's lightsensor picks up the challenge automatically), and then you enter the response. I know of at least two Dutch banks who use this (ABN-AMRO and SNS).
Obviously the calculator contains a shared secret, so you would want it to be tamperresistant.
Also the calculator could be stolen and the owner might not be quick enough in discovering this and reporting it -- a username/password combo are used to counter that. Of course the odds of your key getting stolen are not that big, so security of the password itself is a lesser matter.
Also you'd want user/password on the users application and store data encrypted on the harddrive (ABN-AMRO and SNS do NOT do this, sigh), but if you don't want to ship an app, you can leave client-side security to the users themselves. After all if people are abusing the computer in their own home, they have a far wider problem to think about than just their medical data...
Encrypted filesystems should really be included with operating systems, anyway..
Ow, and of course, all comms should be encrypted. Validity of a certificate is quite easily established by shipping a fingerprint with the calculator via registered mail (or have clients pick those up in person), which should saveguard against man in the middle attacks..
The nice thing about calculator-type tokens is that you don't need a smart-card or swipe-card interface on your computer, plus it works stand-alone, and can be made tamperresitant (of, if you're to belief cryptocard.com 'tamperproof').
--