How would you solve this security problem?


Steve Riley sent me an email message about a post on his blog.  He needs feedback from all of you on how to solve a challenging problem.  The challenge revolves around using public computers or kiosks to access your corporate data.  If we all used smartcards, and all machines had smartcard readers, then we’d have a nice multi factor auth system.  However, smartcard utopia doesn’t exist.


You can read a nice description of the problem at http://blogs.technet.com/steriley/archive/2006/04/20/425824.aspx


So what would you like a two factor authentication system to look and act like?  Give Steve some good feedback at the post linked above.


My solution would be to create a smartcard emulator on a USB flash “drive”.  Securely store the certs on the device.  USB is a pretty prevalent port on machines, at least more so than anything else I can think of.  Would that work?

Comments (3)
  1. Rob says:

    The problem I have with smartcards and RFID is that no matter how secure they are, no matter how complex the encryption they use, eventually the hash ends up being passed in cleartext to the software.  That’s the prime spot to intercept it and then pass it back.  Same thing with fingerprint readers.  They pull your print, encode it and then pass it from the hardware to the software.  Just grab it there and then you don’t need to worry about keeping an icechest full of severed fingers to hack the reader..<br>

    Our building uses a pass system I won’t mention.. but the other day I did a google on it and found someone who made a box the size of small PDA that could grab the electronic transaction from about 20 feet away (store it and play it back at the touch of a button to gain access to the door).  He was working on a big antenna to grab transactions from 150 feet away.

    Two factor security seems like a warm blanket to me.  You’ll stop the ankle-biters and script-kiddies but the serious blackhats will just laugh.  Even those FOBs that throw out a random number can be social engineered.  They are much better than smart cards or RFID though.  That would be my choice.  Even if they intercept the transaction it doesn’t matter since the random number will be different next time and the hash will change.  Even from a nasty public terminal with a keylogger

  2. castrunk says:

    The only problem I can come up with right at this moment is how to ensure the information stored on the USB drive remains unique.  The average user cannot write to a Smartcard, only read it.  That cannot be said for a USB drive.

    Of course, this assumes that a public computer in question 1) has a USB port, 2) you can access the USB port and 3) you can read the USB drive if you plug it in.  I don’t know if you can assume that sort of thing with absolute certainty.

    Other that those reasons, your idea is a very good one.  (I know, you’re itching to stick a ‘nade to my back right now.)

    As Steve wrote, the company in question needs to determine the level of risk.  I would argue that if the company insists upon a 2-factor authentication for their web sites, then public kiosks are out of the question.  Bring your notebook or use a company computer, but you cannot use a public system.  The company – not IT – has already determined that it is not willing to put up with the risk.

  3. Steve Spence says:

    How about a USB smartcard? We use them all over the place already…

Comments are closed.

Skip to main content