[EROS-Arch] Re: [E-Lang] Re: Interaction Design for End-User Security
trey@treysoft.com
trey@treysoft.com
Thu, 22 Mar 2001 10:42:44 -0600
On Thu, Mar 22, 2001 at 05:27:22PM +0100, Joerg Bornschein wrote:
> On Thu, Mar 22, 2001 at 03:08:08PM +0100, wojtek@ifirma.pl wrote:
>
> Hi,
>
> > There is no software-only solution to this problem. Two factor
> > authorization is required i.e. an USB token and password. There are tokens
> > currenty under development, where your private key never leaves the token.
> > This takes security two steps ahead.
>
I missed the original message. You might find some interest in
http://www.ibutton.com/ for cheap, RSA-on-a-US-dime-sized tokens.
> This is true, but you still have to trust large ports of the system to which
> you present your token. And you have to trust your (local) userinterface
> to do the operations you requested.
>
> Note that you might be using trojaned software without noticing it.
>
If your Jr. Spaceman's Decoder Ring does all of the encrypting, the attacker
can't hope for much more than garbage data, no? (I realize this makes all
sorts of assumptions about initial trust relationships, etc.)
-- Trey