Jay Potter wrote: > Nelson, > > We are planning on using a USB device that has keys for various vendors > in a "private" area. The USB device can generate a session key based > upon that secret vendor key. The Server can autogenerate that same > session key. The session key does not have to be passed. > > The external module communicates with the USB device. If the device is > removed, communication cannot take place. When the module communicates > with the USB device, it authenticates that the device belongs to the > client, and then and only then will generate the session key for the > vendor. > > There is no authentication requried across the network only to the local > USB device, something the client can take with him from machine to machine. > > Currently I'm thinking of an extenstion to firefox that would be called > by the browser when the session key is needed. That extension would > provide the interface to the USB device.
Jay, you don't need a browser extension. You need a PKCS#11 module. > Nothing would be transmitted across the network that can be used to > generate the session key. The session key changes without human > intervention. The uses only authenticates to the device that he carries > with him. He doesn't leave any certificates behind that can be used by > anyone else. This seems to be a very secure system that would be very > hard to comprimise, as the keys are never on a client machine to > intercept, and nothing can be intercepted that can be used to generate > or guess at the key. > > The USB token is already developed. It holds hundreds of unique vendor > keys, handles AES-256, generates true random numbers and handles the > secure communication required. We are working on the external module, > now what we need is the PKS-TLS-AES Cipher. Perfect match for a PKCS#11 module. Plus, given that PKCS#11 is a truly standard API, not specific to any one application (such as a mozilla browser), it will (potentially) work with LOTS of applications. Go check out PKCS#11 (and other PKCS standards) at http://rsasecurity.com/rsalabs/node.asp?id=2124 > We are thinking that this shouldn't be to hard to impliment, as the RFC > 4279 clienthello and ServerHello are pretty much the same as standard > TLS. After that it just passes and "identity" string back and forth. > Then the module would provide the PSK to set up the communication and > then it should be on autopilot. > > Jay -- Nelson B 12345678901234567890123456789012345678901234567890123456789012345678901234567890 00000000011111111112222222222333333333344444444445555555555666666666677777777778 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
