Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Smart card proposal

from [Hugo Fortier] Network Security [Permanent Link]
Subject: Re: Smart card proposal
Date: Mon, 24 Jan 2005 20:29:46 -0500 
The USB Key token would eliminate the need for the smartcard reader and the
pin can be typed on the keyboard since It does not really matter if the
keystrokes are copied since with two-factor authentication you need the
combination of the physical device and the pin# ( two factor is - something
you have (USB key) with something you know (pin#).

USB Key token and USB flash drive are 2 differents thing and I was
replying to someone talking of USB flash drive...
It does mather if the keystrokes are logged.
If keystrokes are copied, the attacker (who installed the keyloger)
could likely be on the computer at the same time that the iKey (Or
smartcard ) is inserted. That mean that he could triger the USB Key or
smart card at will while it's hooked to the computer...
 
In that way RSA Token are way more secure. But as I alwready said, RSA
Token would probably not be the solution for a very huge deployement,
and they do have other issue...

One concern I have with iKey, does it supported Linux, OS X, and *BSD?


The RSA random password generator won't work for the reason below. The RSA
secure ID are more expense  than an USB token like Rainbow iKey and need a
battery replacement (USB token does not). Plus RSA is a random password
generator and is not really two factor authentication and the deployment on

How is RSA not 2 factor? It's something you know (PIN) and something
you own (RSA Calculator or Key holder). Seem 2 factor to me...
Having only the PIN or only the Calculator would not be good enought
to get in...


a RSA Radius server is such that all remote users need to be on the system
since the sever cannot allow some to have the RSA token and others in the
directory to have user name and passwords.

This is't really true... You can alwais have more than 1 PAM(Plugable
Authentication Module) and supporting different authentication
system...

Interesting part of the RSA solution is that since it's not hooked up
to the computer, if the computer is compromised the attacker cannot
ask the RSA device to give it token.
 
In the case with a attacker controling computer with a iKey, once he
capture the PIN, he could reuse the PIN to ask for more token...
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Smart card proposal, maburns
Next by Date:  RE: Smart card proposal, Richard M. Smith
Previous by Thread:  RE: Smart card proposal, maburns
Next by Thread:  RE: Smart card proposal, Richard M. Smith
Indexes:  [Date] [Thread] [Top] [All Lists]