Tracy R Reed wrote:
Dexter Filmore wrote:
A usb stick is basically just a very long password that you have to keep
written down somewhere. Stick your USB stick into an untrusted computer,
and your key is compromised, just like a fixed password would be.
If all that can be read is my public key?
But having only your public key on your USB stick does not prove who you
are. You need your private key on there.
Neither does your private key, it only identifies itself. It's just as
useful to a thief as it is to you. The only real security comes with a
password which is known _only_ to its owner. PKI keys, whether public or
private only identify computers, not whoever is sitting in front that
computer, or whoever physically possesses the key.
Having a valid key expresses possession, and only implies permission.
Requiring a secret passphrase for every access expresses permission (the
results of torture and/or maiming expressed earlier notwithstanding.
USB sticks - spread, can attach almost to any half way modern computer.
Smart card reader - about as common as BeOS.
I agree on your security thoughts, but what good is a key that doesn't fit any
lock.
I think maybe what we need is a smart card that presents itself to the
host machine as a USB stick. It has a file that you write a challenge
into which gets processed by a cpu which has access to your private key
and a file which the host computer can then read the response out of.
Which of course has the same weaknesses of keys as well.
--
Best Regards,
~DJA.
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
