Reading that sort of information is really easy to do using something like USB Snoopy. http://www.wingmanteam.com/usbsnoopy/ I haven't looked at it in depth, but I believe it uses a man in the middle style attack to read the data as it is transfered over the usb bus. If so, this is a real world example of creating a "software" USB device. If all it does is sniff the packets, then you still have a pathway to reverse engineer the device and perhaps replicate the "key." By using the PC in device mode, you can see the challenge issued by the lock. Then you can write code on the PC to do the same thing. Sniff/wash/repeat. Using the ID alone will not suffice, PKI is the only way to go... the trick is where you must put to keys. You certainly can't do all your validation with the dongle, since that could easily be defeated. If you were foolish enough to put your private key on the dongle, so that it could be validated, you're giving away the farm.
If I were designing this, I would have some sort of keypad authentication as well. You can use the password challenge in conjunction with a revocation list to make things relatively secure. Once a month, or by whatever is determined to be the reset period, the USB device is updated with a new public key by some centralized server. The user is asked to pick a password/PIN. The password/PIN and expiration date is hashed by the public key and stored on the dongle. For that one reset period, it might be possible to use a rainbow attack to gain access, but the violation is limited if there is an enforcement on reauthenticating the key. If the key has been found to be compromised, you can use the revocation list to disable it early at the lock. This would be a heck of a lot more secure than door badges. On Fri, Oct 24, 2008 at 2:48 PM, Andrew Becherer <[EMAIL PROTECTED]>wrote: > > On Fri, Oct 24, 2008 at 2:30 PM, Brian T. Rice <[EMAIL PROTECTED]> > wrote: > > > > See: https://256.makerslocal.org/wiki/index.php/USB_Auth > > (Ignore the SSL certificate warning.) > > > > The device reads the USB chip serial ID so it's not easily software- > > mockable. > > I've been wondering about that all day. Is it really not easily > software-mockable? I'm wondering what it would take to create a > "software defined" usb device capable of spoofing serial IDs. I have > noted a number of people using the USB ID for everything from lock > systems, to software protection tokens to OS login devices. This is > something I would like to look into. It doesn't seem safe to me. > > (If I were to undertake a project like this I would use public key crypto) > > -- > Andrew Becherer > > > > -- /Ryan All people are born alike - except Republicans and Democrats. -- Groucho Marx --~--~---------~--~----~------------~-------~--~----~ Website: http://saturdayhouse.org/ Post: [email protected] Unsubscribe: [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
