I'm no guru in the smart card area. But if were talking PKI here Fabio, it
is extremely important the private key is always kept in the smart card. In
some implementation, the private key is taken out of the card and stored on
the appilication (normally the smart card interface program)during a
session. Knowing how windows pales with other OS in security sense, the
private key can be stolen from the registry/file etc. I know I have asked
some company representatives and they do not know "exactly" how the sessions
are conducted. As Bennet alreay mentioned, the cryptography protocol is
extremely important.
And if you think carefully about it, if the private key is needed to decrypt
a file/message, that's where the problem comes in... since all packets have
to go in the smart card. A big file/or e-mail message would be a problem.
I'm no app developer.. people may argue that there might be sucure ways of
getting the private key out blah, blah. But the fact is, if it is so we
might as well use floppies then <g>.
Rgrds,
Wong.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Bennett Todd
> Sent: Thursday, September 23, 1999 10:31 PM
> To: Fabio Rocha
> Cc: [EMAIL PROTECTED]
> Subject: Re: Private Wire Gateway
>
>
> 1999-09-23-09:59:08 Fabio Rocha:
> > But I am not only looking for VPN tunneling, that I would be
> able to do with
> > IPSec on cisco routers as you mentioned.
> >
> > What I really need is strong user authentication. So we thought
> in a product
> > based on public key cryptography... Private Wire can store the
> user private
> > key on a password protected smartcard, we consider that strong
> enough for
> > our needs. This way, an intruder would have to steal a smart
> card and also
> > the user password which protect the keys inside.
> >
> > We are open to select another product with the same
> characteristics... Do
> > you have good experiences with any?
>
> I've not looked at smartcards, don't know what's available for them. I
> personally strongly prefer hardened hosts; using an
> allegedly-hardened card
> when the host you plug it into cannot be presumed secure just
> isn't a formula
> for success.
>
> I tend to use ssh to let users tunnel in with strong auth and crypto.
>
> As ssh is open source, if there's a smart card implementation you like, I
> wouldn't think it'd be hard to graft it in to ssh. And for all I
> know people
> might have grafted smart cards into IPSec tunneling.
>
> -Bennett
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
