On Fri, Feb 02, 2007 at 10:16:28AM -0800, John Rudd wrote: > It seems to me that if you're talking about a simple dumb USB thumb > drive/data stick, that you're not going to be able to do anything to > prevent an adversary from copying that data to a local host, and then > brute-forcing the data over time. So, essentially, the only advantage > over "just putting a non-protected keytab on a USB drive" and any other > dumb-data-stick process is some amount of time it takes to overcome > whatever encryption you've done on the keytab.
The advantage of softtokens over hardtokens is that they are software-based, and when you don't have a smartcard around they can be useful in debugging, testing, or even as a cheap alternative to smartcards. And yes, softtokens are susceptible to offline dictionary and brute-force attacks by any attacker that can get their hands on them. But have you ever used passphrase-protected ssh private key files? I bet you have. It's darn useful because there's no need to buy a new piece of hardware -- you just have to be more careful than you might have to be with a smartcard. There's not much new here. This thread is starting to repeat itself. The only new questions here are: - should MIT krb5 have softtoken support? (And note that if it has PKCS#11 support for PKINIT and/or PA-ENC- TIMESTAMP long-term symmetric keys then it will have softtoken support wherever PKCS#11 softtoken providers are available.) - should there be a standard for softtoken formats? Since there are at least two PKCS#11 softtoken providers this is an interesting question. Where should such thing be standardized, if at all? Perhaps informally would be best. > I think a more interesting approach would be a non- "dumb data stick" > approach. It might start to sound like a variation of a smartcard, but > why not think about a new USB device that's perhaps about the size of a > USB data stick. It might present itself to the host computer as 2 devices: This stuff exists. Google it. And it is just a smartcard. Using bimetrics instead of PINs is interesting and a subject for another thread, probably on a different forum. Nico --
