Date: Tue, 13 Mar 2001 16:18:52 +0100 From: Terje Elde <terje@thinksec.no> To: Borja Marcos <borjamar@sarenet.es> Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>, freebsd-security@FreeBSD.ORG Subject: Re: iButton Development Message-ID: <20010313161852.G9762@thinksec.com> In-Reply-To: <3AAE3809.F795A6A5@sarenet.es>; from borjamar@sarenet.es on Tue, Mar 13, 2001 at 04:08:57PM %2B0100 References: <3AADB1D3.C70E00C@colltech.com> <20010313155046.E9762@thinksec.com> <3AAE3809.F795A6A5@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
--RDS4xtyBfx+7DiaI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 13, 2001 at 04:08:57PM +0100, Borja Marcos wrote: > > Also a obvious extension. One idea we've been playing with is to not o= nly > > keep the keys on the button, but never to let them be anywhere else. T= he java > > iButton for example, could handle the cryptographic functions for you. = It > > features cool things like rapid destroying of the content should you tr= y to > > tamper with it. >=20 > This would be the ideal system; when used for ssh, for example, > the button stores the private part of the RSA key, and the challenge is= =20 > sent by the ssh-agent to the button. It encrypts the challenge and > returns the answer. >=20 > If the key is kept inside the button, it can be useful even > in hostile environments. I understand that now there are buttons > capable of running small prograams. As Poul-Henning points out, doing this isn't for everyone. It pretty much boils down to what you trust the most. The security of your hardware/softw= are and your ability to set it up, or the iButtons. In the case of my private workstation, I'd normally prefer running the cryp= to on the workstation itself, not allowing the iButtons to be as much of a weak link. Should I ever have the need for ssh'ing from public company terminals to note quite secure systems on the other hand, this would be a good idea. A toolkit to pick what one likes from, not enforcing the way I want it one everyone else. Terje --RDS4xtyBfx+7DiaI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rjpctO3jfBe8qO0RAgihAJ9L0CUVce5vJBxeLqnEXE4P1zszpACff1kF x90lqiz16wedeCk/ZVdc0aM= =Hywq -----END PGP SIGNATURE----- --RDS4xtyBfx+7DiaI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010313161852.G9762>