I was trying to get the authors of the note to say this, as it appears that their approach is equivalent to soft tokens but may have some advantages with regard to password policies.
Nicolas Williams wrote: > On Wed, Jan 31, 2007 at 08:42:43AM -0600, Douglas E. Engert wrote: >> What keeps a user from copying the identity token from the USB >> device to a local or shared file system to avoid having to insert >> the USB device all the time? >> >> What are the security implications if the identity token is >> stolen? >> >> How does this compare to using cert and key on the USB >> device with PKINIT rather then your identity token? >> >> How does this compare to using a smart card or USB equivelent >> of a smartcard with PKINIT? To the user they still have to insert >> the card or USB device, and have to enter a pin or password? > > You're correct -- softtokens aren't a replacement for real smartcards. > > That doesn't stop a softtoken from being useful though. > > Compare softtokens to passphrase-protected ssh private key files in > users' home directories :) These suffer form policy control of the passphase used to encrypt the key. The user can change the passphrase, or remove it all together! This is a problem for oraganizations that need to enforce password quality rules. It all so allows for offline guessing attacks. (A smart card at least enforces some rules on the pin, and defeats the guessing attack buy turring off the card after some small number of guesses.) It sounded like the identity token approach required the use of a password as well, so it might get around some of the password policy issues, as the KDC gets to enforce the policies. I would like the authors to comment more on this. > > Nico -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
