From: "Philippe C. Martin" <[EMAIL PROTECTED]>
Reply-To: MUSCLE <muscle@lists.musclecard.com>
To: MUSCLE <muscle@lists.musclecard.com>
Subject: Re: [Muscle] SCU3 released
Date: Mon, 28 Nov 2005 12:41:38 -0600
Peter Williams wrote:
I dont get it. Its a classical (removable) hard drive device. Little has
changed here since ATA cards, and 16 bit plug and play!!
The main difference here is that one installs the application on the flash
drive, not the PC. The application/application data is available on the PC
_when_ the drive is plugged and gone when it is unplugged: nothing get
installed on the PC.
==> any vanilla XP PC out of the box will run your application
I have regular flash drives but cannot do that with them ... am I missing
something ?
While memory sticks, CF cards, ATA cards (me old!), smartmedia devices are
just flash, with a FAT support licensed from Microsoft, the USB frm factor
of the same flash devices in the US shops tend to come with applications.
All the finger-print enable USB flash drives have come with form-filling
password managers for years. Whats interesting recently, is that through
USB-interfaced file-based mailboxes, the Pentium application (such as
Sandisk's GINA plugin) can interact with the matching algorithms on the CPU
of the bio-capable flash drive, as a USB peer (versus a dumb flash data
store).
So, in the U3 case, which CPU executes the application?
If its the Pentium CPU, then one presumes the application is a Win32
application, loads into virtual memory, may or may not write to other data
stores, is subject to the windows execution model, and the Intel
instruction-level security model, and may or may not require Windows/.NET
security privileges to get its application work done. Presumably, one needs
to sign the media files, so that upon loading windows trusts the publisher
using Windows/W3c/java code signing mechanisms, assigns privileges
authomatically, runs the PE image -once loaded - through the virus checker,
etc. such that the user see none of the behind the scenes activty ensuring
integrity.
Are we talking about a USB flash drive in which there are autorun files
created for the .exe files stored on the media, just like on a CD R-W?
If the application is running on the CPU of the flash controller yet images
on a remote desktop over (wireless) USB channel, thats more interesting. We
met an entrepreneur earlier in the year who wanted to do this.
Regards,
Philippe
For a short time, I worked on a recent project in which a combination ST22
secure core and an IDE bridge controller were SOC'ed together to make a
smartcard-enabled hard drive. The smartcard had greater function that
merely arming the bridge chip, like some of the finger sensor-enabled hard
drives you see in the (mobile) military applications - and like the
finger-enabled flash readers (and USB boot drives) you buy now for 79$ in
US shops (from sandisk, lexar, etc).
From: "Philippe C. Martin" <[EMAIL PROTECTED]>
Reply-To: MUSCLE <muscle@lists.musclecard.com>
To: MUSCLE <muscle@lists.musclecard.com>
Subject: Re: [Muscle] SCU3 released
Date: Mon, 28 Nov 2005 09:52:21 -0600
Typos, sorry :
...I need to protect data that in on the drive .... >> ... I need to
protect data that is on the drive ....
...but that I can help "promote" the smart card concept ... >> ... but
that it can help "promote" the smart card concept ...
Philippe C. Martin wrote:
Hi,
I do not know what is behind the scene and how quickly it can be cracked
but:
1) you can tell U3 to use a password for access (I have not tried yet
but I read somewhere that a non-compliant U3 OS (ex: Linux today) would
not be able to see the drive content if the password were on ... without
that password, Linux sees it as another flash drive.
2) the U3 APIs allow the application to put password protects on certain
private data areas
I do not know if there is crypto built-in ... for instance what does the
drive really do when a data section has a password ? => I intend to use
my own crypto if I need to protect data that in on the drive.
I do not think U3 is a replacement for smart cards at all, but that I
can help "promote" the smart card concept by adding mobility to its
solutions ... I could _really_ see a U3 drive and a chip in the same
package a few years from now.
Regards,
Philippe
Peter Tomlinson wrote:
So the U3 drive is not a secure device in its own right? (i.e. it seems
to me that it does not incorporate a crypto chip such as is used in a
strong security smart card, and nor does its flash memory have the kind
of security protection against penetration that smart card flash has)
(I looked on the u3.com web site but found very little specific about
the device spec.)
Peter
Philippe C. Martin wrote:
A U3 device (www.u3.com) is a flash drive which allows for
applications installation: you plug the U3 device in the USB port and
your application is available. If the application does its job
correctly, application data is stored on the U3 device, not on the
PC.
Some of the issues I have been facing in the smart card business are:
1) some application data cannot be written in the card because of
space (and some of the data does not need high security) 2) potential
customers are often worried about software deployment - that is
especially true for my applications as Python and wxWidget are not
part of regular OS distributions (yes, Python is for Linux) 3)
because of 1) the smart card application (card + software) is less
mobile as the less vital data is stored on the PC (maybe encrypted
with the card, but still stuck on the PC) 4) setting up smart card
demos at a client site/business branches can be very painfull, and
salespeople are somewhat reluctant to hack PCs (another painfull
lesson)
I just feel that there are applications where a combinaison of a
smart card and a U3 device (they call them smart drives) would
greatly improve deployment/mobility issues.
Putting my solutions aside, I feel a MUSCLE application on a U3
device can make a lot of sense.
U3 drives can be found already in large stores in the US (and I live
in OK! - I do not know about other countries but I was told about U3
by a smart card professional based in France).
I hope that is clearer - I often get excited about technology and
sometimes think I have found a great solution were people see no
business value whatsoever :-)
Regards,
Philippe
Ludovic Rousseau wrote:
On 28/11/05, Philippe C. Martin <[EMAIL PROTECTED]> wrote:
Hi,
Hello,
I am very happy to announce the release of SCU3 V 0.1 and
SCU3Python.u3p V. 0.1.
SCU3 is a python wrapper for U3 compliant devices
What is a "U3 compliant devices"? Is it the devices described at
[1]? What are the links with smart cards, PC/SC, etc.?
Bye,
[1] http://www.u3.com/
-- Dr. Ludovic Rousseau For private mail use
[EMAIL PROTECTED] and not "big brother" Google
_______________________________________________ Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
------------------------------------------------------------------------
_______________________________________________ Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle