RE: USB TokensMar 27 2003 01:21AM Robert Tillman (Robert Tillman veritas com)
Hey Justin,
I hate to disappoint you, but if someone is able to grab your laptop the USB
token device/ smart card will not save you. Sure you can use a smart token
to authenticate but unless you encrypt your data as well your done mate.
If all your interested in, is forces smart card authentication make sure you
get a device that meets at the minimum Fips 140-2 compliancy and has the
crypto components on board. For a solution like Aladdin eToken pros you can
setup a sue-do PKI with MS Cert server. Bare in mind this solution is fun
for small offices but doesn't scale well in any stretch of the imagination.
Not to mention the security aspect of MS Cert server, or lack there of.
If your looking for a good windows disk encryption solution that works well
with smart token check out http://www.pointsec.com
-----Original Message-----
From: Justin Derry [mailto:jderry (at) bordertechnologies (dot) com [email concealed]]
Sent: Tuesday, March 25, 2003 7:14 PM
To: Remo Inverardi
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: USB Tokens
Remo,
thanks for the reply.. Thats exactly what i am attempting to achieve.
However if you consider that then to access the laptop they will need the
laptop and the token to use it.
Overall i know this doesn't offer huge security but would mean you need to
the token to use the laptop.
I would be using a standard USB disk/memort key. Not cryptographic such as
the rainbow/ikeys.
Any ideas.
Justin
----- Original Message -----
From: "Remo Inverardi" <invi (at) your.toilet (dot) ch [email concealed]>
To: "Justin Derry" <jderry (at) bordertechnologies (dot) com [email concealed]>
Cc: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Wednesday, March 26, 2003 4:46 AM
Subject: Re: USB Tokens
> Justin,
>
> > Thoughts?
>
> It's not the certificate that gives you security. It's the private key,
> which has to be kept secret somewhere.
>
> Smartcards (like the Aladdin eToken you mentioned), store the private
> key in a safe place, which is not readable from the outside. Once you
> authenticated yourself with the smartcard, which is normally done by
> sending it your PIN, the smartcard can perform private key operations
> for you (which is why it's called "smart"-card).
>
> If you think about it, your approach does not give you more security
> than simply storing your NT domain password on your USB token.
>
> Regards, Remo
>
>
----------------------------------------------------------------------
Get serious about enterprise anti-spam management.
SurfControl E-mail Filter for SMTP & Exchange
leverages multiple layers of technology to defeat
spam with accuracy. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfmsl1
----------------------------------------------------------------------
Get serious about enterprise anti-spam management.
SurfControl E-mail Filter for SMTP & Exchange
leverages multiple layers of technology to defeat
spam with accuracy. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfmsl1
I hate to disappoint you, but if someone is able to grab your laptop the USB
token device/ smart card will not save you. Sure you can use a smart token
to authenticate but unless you encrypt your data as well your done mate.
If all your interested in, is forces smart card authentication make sure you
get a device that meets at the minimum Fips 140-2 compliancy and has the
crypto components on board. For a solution like Aladdin eToken pros you can
setup a sue-do PKI with MS Cert server. Bare in mind this solution is fun
for small offices but doesn't scale well in any stretch of the imagination.
Not to mention the security aspect of MS Cert server, or lack there of.
If your looking for a good windows disk encryption solution that works well
with smart token check out http://www.pointsec.com
-----Original Message-----
From: Justin Derry [mailto:jderry (at) bordertechnologies (dot) com [email concealed]]
Sent: Tuesday, March 25, 2003 7:14 PM
To: Remo Inverardi
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: USB Tokens
Remo,
thanks for the reply.. Thats exactly what i am attempting to achieve.
However if you consider that then to access the laptop they will need the
laptop and the token to use it.
Overall i know this doesn't offer huge security but would mean you need to
the token to use the laptop.
I would be using a standard USB disk/memort key. Not cryptographic such as
the rainbow/ikeys.
Any ideas.
Justin
----- Original Message -----
From: "Remo Inverardi" <invi (at) your.toilet (dot) ch [email concealed]>
To: "Justin Derry" <jderry (at) bordertechnologies (dot) com [email concealed]>
Cc: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Wednesday, March 26, 2003 4:46 AM
Subject: Re: USB Tokens
> Justin,
>
> > Thoughts?
>
> It's not the certificate that gives you security. It's the private key,
> which has to be kept secret somewhere.
>
> Smartcards (like the Aladdin eToken you mentioned), store the private
> key in a safe place, which is not readable from the outside. Once you
> authenticated yourself with the smartcard, which is normally done by
> sending it your PIN, the smartcard can perform private key operations
> for you (which is why it's called "smart"-card).
>
> If you think about it, your approach does not give you more security
> than simply storing your NT domain password on your USB token.
>
> Regards, Remo
>
>
----------------------------------------------------------------------
Get serious about enterprise anti-spam management.
SurfControl E-mail Filter for SMTP & Exchange
leverages multiple layers of technology to defeat
spam with accuracy. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfmsl1
----------------------------------------------------------------------
Get serious about enterprise anti-spam management.
SurfControl E-mail Filter for SMTP & Exchange
leverages multiple layers of technology to defeat
spam with accuracy. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfmsl1
[ reply ]