In some mail from [EMAIL PROTECTED], sie said: > > > Unless i am missing something, the addition of a "hard-key" would not > be any better than a stored password. > > If you authorize the machine, or a piece of hardware plugged into the > machine does not make a difference. > > What keeps another process/user/root/admin from requesting the > password/authorization from the hard-key? > (possibly a password that has to be entered by an admin? > and the cycle continues)
Ideally what you do is give the encrypted contents to the external device that has the secret key in its memory, protected from the computer and get returned decrytpted contents. Like, for example, the USB Rainbow iKey device I have. When used with old versions of Netscape, encrypted email etc., is all handled by the dongle, not the computer. This is generally not suitable for HTTPS, but instead you can apply network connected web accellerators. However none of this has anything to do with validating the auethenticity of a user. As someone mentioned, use a one way hash function with a seed for this. Darren _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
