Philippe Stellwag wrote:
I just want to store some authentication data - a username, group and
date - on a "token", which only offers a passive storage (116 byte
EEPROM) without any cryptografic functions, to save a secret (normally
a private key) from outside access. So this authentication data must
be [...]
My questions are very simple: Is the RSA crypto-system with random
padding (e.g. default PKCS#1 v1.5 or OAEP) "strong enough" to
implement such a solution or is my concept totally insecure and I
should use e.g. an ElGamal encryption system?
Unless I've read this incorrectly, it seems this system only provide a
security level as strong as the password or pin used to unlock the data
on your token. (Which means: it'll be very weak no matter if you apply
RSA, ElGamal, or otherwise in your chain)
The reason for this weakness is the fact that your token is, as I
understand, readable by more people than just the owner of that token
(of course I assume these 'others' have somehow access to the computer
currently connected to the token; think: network administrators,
installed software apps, etc.).
This means that, from the viewpoint of [crypt]analysis, everything is
accessible by an attacker, apart from your password/pin. (You must
assume the attacker has access to the software, so [s]he will be able to
unlock those secrets on your token once [s]he has your password/pin.)
That's the reason secure tokens exist: they do not in any way allow
'public' access to the secrets stored. Think of them as 'write once'
devices; they are secured by off-loading part of the crypto process to
the token itself: you will only be able to read derived data. Since you
use a nonsecure token storage, the whole exercise about RSA or El Gamal
et al becomes moot, as I assume the password/pin used will contain far
less entropy than any other part of your crypto system will be able to
transport anyway (ever met a human who can remember a 128 bit secret key
without keeping notes?).
Bottom line: take the advice from Mr. Schwartz and/or reconsider the
basic design of your complete crypto system. Currently, the design is
only providing your users with additional _perceived_ (but nonexistent)
security by having them carry a nonsecure token around.
Want a Quick Fix? Rethink the password/pin part before anything else;
think 'pass _phrase_' instead of pass_word_ or pin.
Use the 'token' to store a personalized IV or something else to improve
the user experience/perception, but be assured that it doesn't add to
your security quality.
Regards,
Ger
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]