On Wed, Dec 10, 2003 at 11:35:12AM -0500, Mike Mueller wrote: > On Monday 08 December 2003 18:20, Colin Watson wrote: > > You can go further by requiring physical presentation > > of smartcards or similar in order to use the key, which is less > > convenient but makes a passphrase more or less useless on its own. > > Aren't smartcards similar to dongles in some respects? They both have > a guard point in the software that identifies good guys and bad guys. > If so, then given that dongles are reverser bait, won't smartcards > meet the same fate as dongles? They'll become a wall trophy over the > mantle of a reverser. It seems that anyone capable of a stack overflow > exploit is also capable of reversing out a smartcard checkpoint. > Please tell me I'm being too negative.
If you're doing this halfway properly, you don't do the communication with the smartcard in host-side software; you do it in firmware running on separate and physically protected hardware. Since that hardware is the same hardware that stores the key and allows/denies access to it, altering things on the host isn't going to help you get at the key. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
