[lug] OTP

Bear Giles bgiles at coyotesong.com
Wed Jun 12 12:15:20 MDT 2013 

I
don't know if cheap laptops have them but my work laptop definitely has a
smart card reader. I don't know if standard on "business" systems. I think
I've also seen desktop keyboards with smart card readers.


(Remember when the cheap PCs always came with modems instead of network
cards and the droids in the store didn't understand why any home user would
want the latter?)


The thing about smart cards is that they're flexible - my ID badge is a
smart card that lets me onto the VPN, that allows me read encrypted mail
containing sensitive things like email, and even lets me in and out of the
office. (You have to badge out.) You can't do that with a USB dongle - it's
too small.

Bear


On Wed, Jun 12, 2013 at 11:00 AM, Davide Del Vento <
davide.del.vento at gmail.com> wrote:

> > So smart cards do public keys.  You only need one pair and the public one
> > can be shared with all your providers (so one card, one PIN only).  The
> > private key doesn't leave the card so the only thing compromised hardware
> > gets is your PIN.
> >
> > You do need more infrastructure to support smart cards but as a user I'd
> > much rather have one ID that gets me in everywhere rather than need a
> > separate one each place I go.
>
> Now that you mention it, I remember these talks from a long time ago.
> Maybe 10-15 years... Do I remember right?
>
> The problem of the dedicated sw and hw is a big one, and if hw
> manufacturer have not jumped on board to have any single laptop with
> the reader in it, it's not a useful approach for me (and for many, I
> guess).
>
> Would it be possible to implement such a thing as a thumb drive and
> have it work without special software nor hardware (other the the USB
> port and the filesystem driver, which are pretty much ubiquitous)? For
> example you could drop a file from the browser into the "smart card"
> as in a USB thumb drive filesystem and the hw will do its private-key
> crypto on it, and "magically" let another file appear in the
> filesystem for you to pick and drop in the browser? A micro keyboard
> could be used for the PIN, or the PIN could be forgotten completely
> and the lost-of-stolen problem could be solved in other ways (e.g. by
> revoking the public key).
>
> Cheers,
> Davide
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20130612/ba2ea91f/attachment.html>

More information about the LUG mailing list