begin quoting Andrew Lentvorski as of Fri, Aug 29, 2008 at 03:56:26PM -0700: > SJS wrote: > > >I really do think the 1 fob + N untrusted servers + no input set of > >constraints can stand.
Editing error... s/do/don't/ *sigh* Sorry about that. > Well, I'm not real convinced about keyfobs as I tend to prefer public > keys. However, they are useful when you want to allow a *password* login. Yup. > For example, Da Gummint can surreptitiously install stuff on your > computer. I would prefer that keylogging not allow instant access to > every single server that allows login via my public key. I would also > prefer that any key they suck up be useless to them if they don't use it > *RIGHT NOW*. Making your attacker go through a lot of (expensive) effort is a good thing, especially if the expense is more than the value of what is obtained or access. > The question is whether the threat model warrants the solution. Yup. > I am asking the question because these 8051's are particularly cheap. I think the practical (cheap) solutions are (in order): 1. fob + shared secret (with all that hashing fun) 2. fob with selector button + N shared secrets 3. usb fob and copy-contents-of-the-file #2 with a little pushbutton or a scrollwheel and a two-line LCD display (machine name on one, hash subset on the other) seems to be the best balance of the given constraints. Make it a usb dongle so you can easily add additional machines (or remove old ones). You can use AES for hashing, and so take advantage of of the build-in AES engine on the chip, so you just need to add reasonable clock circuit, a little flash RAM, a little ROM, and a display. -- Not a hardware geek by any means, but I know a couple. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
