> Aren't USB keys using a challenge and response system where the response is > only valid when computed with the key. As such the response is accepted only > once and is difficult, although possible, for a man in the middle steal and > use before the "real" workstation does....
It depends what the device is and what the protocol is. Devices which yield only a simple token can of course be intercepted just like a typed password. A pocket crypto processor can be used for e.g. ssh or Kerberos without the user needing to enter a password and without ever leaking the key out of the back of the dongle. The protocol does a secure exchange of session keys; a man-in-the-middle can only deny service. I looked at the Crypto iButton (which can be mounted in a keyring USB dongle) as a way of doing this. It also has the advantage of being robust and useable in door systems, but Maxim/DalSemi appear to be amazingly crap at supplying them. Oh, and it's surprisingly easy to do a MITM attack if you are on the same LAN as either client or server, but you don't even need the to steal the initial authenticator; just hijack the connection once established. http://www.users.globalnet.co.uk/~testest/faq/howto5.html ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
