Re: how to save secret user information on a SmartCard?
From: germy (futureback_mail_at_yahoo.de)
Date: 07/05/05
- Next message: Michel Gallant: "Re: computing hash from a pkcs7 signature"
- Previous message: Matija: "Fingerprint readers XP"
- In reply to: Jakub Gwozdz: "Re: how to save secret user information on a SmartCard?"
- Next in thread: Jakub Gwozdz: "Re: how to save secret user information on a SmartCard?"
- Reply: Jakub Gwozdz: "Re: how to save secret user information on a SmartCard?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 5 Jul 2005 03:55:01 -0700
"Jakub Gwozdz" wrote:
> germy napisał(a):
> > i have to write a program that saves user information on a SmartCard as a
> > scool-project.
> >
> > the program should read out the user's id and password from the card. with
> > this information it should log the user in to an existing application.
> > sorry, i'm very new to this, how can these informations be saved securely on
> > a smartcard?
> >
> > at the moment i think it can be done this way:
> > the hash-values of the id and the password are stored on the card and my
> > application knows the key to decrypt these.
> > but i'm not shure if this is secure, can someone explain me how such things
> > are done in practice?
>
> As long as your normal software needs to know the decryption key (no
> matters if its RSA private key or 3DES symmetric key) this solution
> wouldn't be secure. It's to easy to rip it of this.
>
> You should get a smartcard with PKCS#11 middleware interface
> (MS-CryptoApi won't help here). It needs to be able to store data on
> smartcard (Cryptoki CKO_DATA objects), not only keys and certificates.
> Those data objects should be created as private token objects
> (CKA_PRIVATE and CKA_TOKEN attributes set to TRUE). Now they can be
> accessed only after successful login (user must enter valid PIN).
> That's it. No further encryption/hashing is needed. And data objects may
> be in plain txt: "guest:1234qwer",
> xml: "<user><login>guest</login><pass>1234qwer</pass></user>" or any
> other format your application can read. They are safe as long as anybody
> wouldn't get your smartcard and pin.
>
> The only safer solution based on user/password scheme is to encrypt
> credentials with host-specific key material, but such encrypted
> user/password wouldn't be usable on another machine.
>
> Best regards
> Jakub Gwóźdź
>
first, thank you for your fast reply
i have to use a GemSafe SmartCard for this Project, this card supports
private token objects, so i think it is suitable for this task.
but your post sounds like the user has to enter the pin every time he wants
to log in to the program.
but the advantage of my program should be that the user doesn't have to
enter anything (neither his id and password, nor the pin of the card), only
insert the card into the reader....
the more i'm thinking of this, the more i'm of the opinion that it isn't
possible to do this 100% secure.
either the application knows the pin or key which is easy to rip of, or the
data is stored unprotected on the card and i have to trust the user not to
lose the card or give it away
or are there other ways to solve the problem? please help me, it's very
important for me.
best regards
germy
- Next message: Michel Gallant: "Re: computing hash from a pkcs7 signature"
- Previous message: Matija: "Fingerprint readers XP"
- In reply to: Jakub Gwozdz: "Re: how to save secret user information on a SmartCard?"
- Next in thread: Jakub Gwozdz: "Re: how to save secret user information on a SmartCard?"
- Reply: Jakub Gwozdz: "Re: how to save secret user information on a SmartCard?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
