Date: Mon, 5 Oct 1998 15:52:50 -0400 (EDT) From: Chuck Robey <chuckr@mat.net> To: FreeBSD-security@FreeBSD.ORG Subject: Java-based Crypto Decoder Ring gets NIST FIPS 140-1 certification (fwd) Message-ID: <Pine.BSF.4.05.9810051545070.15656-100000@picnic.mat.net>
next in thread | raw e-mail | index | archive | help
Read the forwarded message at the bottom, then come back here and talk with me some .... Got this from the cryptography list at c2.net (great, lo noise list), and it's talking about something I've wanted for a long time. I want to know if it's feasible to be able to use something like this data ring to be able to do FreeBSD logins? I'm not asking if the software exists ... if it doesn't (and I know it doesn't yet) I can do that part, I'm interested if this really represents a secure method for me to be able to do something like carry around my whole 1024 bit private key with me, and use the $15 (yes, it's only $15!) ISA card to interface to the ring, and tell the system securely who I am. I want to know if there are any hidden traps to doing logins that way. This would (I hope) mean a permanent end to me forgetting passwords, since I've never lost a key in my life, but I don't know enough about security to tell if the whole idea has some hidden gotcha in it. ----------------------------+----------------------------------------------- Chuck Robey | Interests include any kind of voice or data chuckr@glue.umd.edu | communications topic, C programming, and Unix. 213 Lakeside Drive Apt T-1 | Greenbelt, MD 20770 | I run Journey2 and picnic (FreeBSD-current) (301) 220-2114 | and jaunt (NetBSD). ----------------------------+----------------------------------------------- ---------- Forwarded message ---------- Java-based Crypto Decoder Ring gets NIST FIPS 140-1 certification INSTEAD OF STORING YOUR PRIVATE KEY IN SOFTWARE ON YOUR PC, KEEP IT IN HARDWARE, ON YOUR CLASS RING, KEY FOB, MONEY CLIP, WATCH OR ANYTHING ELSE THAT CAN STORE A 16mm, stainless steel case. According to its Web site (www.ibutton.com), "the iButtion provides for secure end-to-end Internet transactions-including granting conditional access to Web pages, signing documents, encrypting sensitive files, securing email and conducting financial transactions safely - even if the client computer, software and communication links are not trustworthy. When PC software and hardware are hacked, information remains safe in the physically secure iButton chip." Unlike storing your private key in software on your PC where it can remain in cache after use, and be retrieved by a hacker, the crypto iButton private key never enters your PC, so it cannot be intercepted. In July, the Crypto iButton from Dallas Semiconductor received the NIST FIPS 140-1 "Security Requirements For Cryptographic Modules" certification. The Crypto iButton provides hardware cryptographic services such as long-term safe storage of private keys, a high-speed math accelerator for 1024-bit public key cryptography, and secure message digest (hashing). To date, only 15 hardware products have been validated by the U.S. and Canadian governments. According to their press release at: http://www.dalsemi.com/News_Center/Press_Releases/1998/pr_fips.html, the Crypto iButton ensures both parties involved in a secure information exchange are truly authorized to communicate by rendering messages into unbreakable digital codes using its high-speed math accelerator. The Crypto iButton addresses both components of secure communication, authentication and safe transmission, making it ideal for Internet commerce and/or banking transactions. The Crypto iButton consists of a physically secure, million-transistor microchip packaged in a 16mm stainless steel can. Not only does the steel protect the silicon chip inside from the hard knocks of everyday use; it also shows clear evidence of tampering by leaving scratch and dent marks of the intruder. This steel case satisfies FIPS 140-1 Level 2 Tamper Evidence requirements for physical security. Note: Within the overall 140-1 certification are various sub-levels that identify how well the product rates in different categories such as Physical Security, Environmental Failure Protection, and Tamper Resistance. The sum of the ratings in the individual categories determines whether it merits certification. The iButtion also allows the owner to set an automatic expiration date, to limit the potential for unauthorized use. Once the built-in clock reaches a pre-set time, the chip self-expires and requires re-activation by the service provider before service can be renewed. The service provider can verify that an individual has possession prior to initial activation or renewal (re-activation). In this way, a lost or stolen iButton unconditionally limits the potential for unauthorized use to the remaining activation time, which can be made arbitrarily short by the iButton holder or service provider. According to its Web site, Blue Dot receptors using either the Java operating system (OS), or a proprietary OS, can be purchased online for $15 each. The receptor plugs directly into the parallel port on a PC, and includes software for configuring its features. The software also programs the decoder ring with the private key the first time, and performs any other administrative functions. Just press the Blue Dot with the iButton (ring, fob, key ring, etc.) to establish the connection path. If you know your ring size, you can order Josten's 'Java-powered ring,' or the 'Digital Decoder Ring,' online. Also available are the 'Fossil Watch, key ring, or money clip. http://www.iButton.com/DigStore/access.html#jring. Costs for a single unit range from $45 to $89. "Unlike a loose plastic card, the iButton stays attached to a carefully guarded accessory, such as a badge, ring, key fob, watch band, or wallet, making misplacement less likely. The steel button is rugged enough to withstand harsh outdoor environments and durable enough for a person to wear every day. An individual maintains control over their Crypto iButton in yet another way-a secret Personal Identification Number. If so programmed, the iButton will not perform computations until its PIN is entered, like a bank ATM. " A list of developers and their off-the-shelf applications is at: http://www.iButton.com/Connections/Catalogs/index.html. Custom, networked, server-based applications are available, in addition to individual, standalone PC products. The crypto iButtion is currently being tested by the USPS for electronic distribution of postage stamps. The company marketed its iButton products for other non-crypto uses starting in 1991. A list of current implemented and pilot projects using the product to simply store and process data around the world is at: http://www.iButton.com/showcase.html. This includes the mass-transit system in Turkey, bus passes in China, vending machines in Canada, parking meters in Brazil and Argentina, and buying gas in Mexico and Moscow. Richard Hornbeck www.primenet.com/~hornbeck --- end forwarded text To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9810051545070.15656-100000>