Philippe Stellwag wrote:
I just want to store some authentication data - a username, group and date - on a "token", which only offers a passive storage (116 byte EEPROM) without any cryptografic functions, to save a secret (normally a private key) from outside access. So this authentication data must be [...] My questions are very simple: Is the RSA crypto-system with random padding (e.g. default PKCS#1 v1.5 or OAEP) "strong enough" to implement such a solution or is my concept totally insecure and I should use e.g. an ElGamal encryption system?
Unless I've read this incorrectly, it seems this system only provide a security level as strong as the password or pin used to unlock the data on your token. (Which means: it'll be very weak no matter if you apply RSA, ElGamal, or otherwise in your chain)

The reason for this weakness is the fact that your token is, as I understand, readable by more people than just the owner of that token (of course I assume these 'others' have somehow access to the computer currently connected to the token; think: network administrators, installed software apps, etc.).

This means that, from the viewpoint of [crypt]analysis, everything is accessible by an attacker, apart from your password/pin. (You must assume the attacker has access to the software, so [s]he will be able to unlock those secrets on your token once [s]he has your password/pin.)

That's the reason secure tokens exist: they do not in any way allow 'public' access to the secrets stored. Think of them as 'write once' devices; they are secured by off-loading part of the crypto process to the token itself: you will only be able to read derived data. Since you use a nonsecure token storage, the whole exercise about RSA or El Gamal et al becomes moot, as I assume the password/pin used will contain far less entropy than any other part of your crypto system will be able to transport anyway (ever met a human who can remember a 128 bit secret key without keeping notes?).

Bottom line: take the advice from Mr. Schwartz and/or reconsider the basic design of your complete crypto system. Currently, the design is only providing your users with additional _perceived_ (but nonexistent) security by having them carry a nonsecure token around.


Want a Quick Fix? Rethink the password/pin part before anything else; think 'pass _phrase_' instead of pass_word_ or pin. Use the 'token' to store a personalized IV or something else to improve the user experience/perception, but be assured that it doesn't add to your security quality.


Regards,

Ger


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to