The idea with hardware tokens is that your private key is stored on it and that it can not be extracted from there. Instead the token (smart card for instance) supplies cryptographic functions that allows you to use the private key.
If your smartcard reader has a so called protected authenticated path ( a pin pad or a fingerprint reader), the pin or the biometric info will _never _ enter your computer. And voila, you are protected against evil programs like back orifice!
As mentioned by many already, there is no such thing as a secure system.
When designing a secured system the designer has to identify the threats and the cost such threats might impose upon the system.
The next step is to find the counter measures and to estimate the cost of implementing them. Then, if the cost of each counter measure can be justified compared to the potential cost of the damage that the corresponding threat might impose, then the counter measure should be implemented. In this case the general secured web application has a lot of threats like dictionary attacks against weak passwords etc.
IMHO the most dangerous threat to the general secured web application today, is the very serious threat coming from a netbus or back orifice attack on the client side. Using such a program it would be very easy to fetch any passwords that are entered through the keyboard.
A very good counter measure for those types of attacks are to use some kind of hardware token, be it a smart card, usb token, one time password generator or a challenge response token. Using the right tools, implementing such a counter measure shouldn't take that much time.
Slashdot Mirror
If you're desperate, use OpenSSL to set up your own CA. Then you can issue your own certificates!
If your smartcard reader has a so called protected authenticated path ( a pin pad or a fingerprint reader), the pin or the biometric info will _never _ enter your computer. And voila, you are protected against evil programs like back orifice!
Take a look at precisebiometrics
The PKCS#11 standard: www.rsalabs.com
A pin pad solution that provides protected authnticated path: www.accessgear.com
When designing a secured system the designer has to identify the threats and the cost such threats might impose upon the system.
The next step is to find the counter measures and to estimate the cost of implementing them. Then, if the cost of each counter measure can be justified compared to the potential cost of the damage that the corresponding threat might impose, then the counter measure should be implemented. In this case the general secured web application has a lot of threats like dictionary attacks against weak passwords etc.
IMHO the most dangerous threat to the general secured web application today, is the very serious threat coming from a netbus or back orifice attack on the client side. Using such a program it would be very easy to fetch any passwords that are entered through the keyboard.
A very good counter measure for those types of attacks are to use some kind of hardware token, be it a smart card, usb token, one time password generator or a challenge response token. Using the right tools, implementing such a counter measure shouldn't take that much time.