Personal computers have flourished because they are versatile and easy to program. Good for games, bad for security. The same facility that makes it easy to hack into the keyboard device drivers makes it easy to grab a password's keystrokes.
Hardware tokens (also known as smartcards or dongles) are one solution. These devices are built around a chip dedicated to creating digital signatures. A smartcard log-in session begins with the host sending a challenge string. The smartcard signs the challenge and returns it. The challenge string (and therefore the response) changes each time to prevent replay attacks.
Dallas Semiconductor recently released the iButton, a round metal tag with a diameter of about 16 mm. The company also manufactures a small interface that plugs into the parallel port of a computer and can be added for less than $20. A user can touch the button to this interface and the computer can pass messages back and forth to the button, which creates digital signatures on the fly. The buttons are quite useful for people who must log in to a central computer remotely because they remove the threat that a password sniffer will record the password.
Many smartcard manufacturers, like Dallas Semiconductor and Security Dynamics, are attempting to make a tamper-resistant package to protect the certificate. While the degree of necessary tamper-resistance is debated, developers and ha
ckers play cat and mouse.
It may not be long before PCs standardize upon a smartcard interface. Oracle is already strongly recommending that a smartcard interface be available on any network computer (NC). Smartcards are an important part of letting people carry their information and identities with them if they switch between NCs. WebTV has the electronics built into its design.
illustration_link (25 Kbytes)
Are Smartcards a Certificate Solution?
