>  On the token front, we're still unfortunately waiting for the ideal key
>  storage device. USB tokens, smart cards, and cell  phones are all
>  candidates, and the pros and cons of these options form a complex matrix.
>  Universities tend to prefer the USB  approach because the tokens work with
>  PCs and Macs that can't easily be outfitted with card readers.

On that subject I highly recommend a report very recently
published by DFN-CERT and SurfNET.

  http://www.dfn-pca.de/bibliothek/reports/pki-token/ :


The usage of X.509 certificates and related PKI techniques is getting
more and more common. It enables users to sign and encrypt messages, to
use secure communication channels for internet communication and to
authenticate themselves to all kind of network services. The overall
level of security for the usage of public key cryptography depends
heavily on that of the private key, which is usually installed on the
local host of the user. This poses not only a security risk but it does
also restrict the increasing user demand for mobility. A solution to
these problems can be smart cards and USB-tokens, which store private
keys in such a way that they cannot be retrieved from these. Instead data
can be send to these devices and is being processed, decrypted or signed,
by the device itself and only then the results are provided by these
devices for further processing.

These devices are very promising for the widespread usage of PKI. In a PC-
dominated world the USB-tokens have the advantage, that no additional
reader is necessary to use them even on foreign hosts. Both types of
devices, smart cards and USB-tokens, still need support by the underlying
operating systems and by the used applications. This makes it very
difficult to decide which token may be successfully used in any given
environment and will meet the demands of the applications and indented
usage. This report tries to ease the decision process when selecting a
token for a particular environment and platform.

For this purpose a number of the available tokens were tested together
with the most common applications on the most commonly used operating
systems. A reproduceable test framework was established to ensure the
comparability and re-usability of these tests.

Overall it is safe to say in a homogenous environment with commonly used
applications the tested tokens perform well. Nevertheless rolling out
tokens on a large scale is still not something to be undertaken on a
friday afternoon.



Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Stra├če 12-14, D-76137 Karlsruhe

Tel. +49 721 255171-304, Fax +49 721 255171-100
[EMAIL PROTECTED], http://www.secorvo.de/
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to