LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Transitive Trust is Red Herring

Transitive Trust is Red Herring

Posted Jul 12, 2005 2:32 UTC (Tue) by dlang (subscriber, #313)
In reply to: Transitive Trust is Red Herring by AnswerGuy
Parent article: The coming Web security woes (News.com)

one final point on transitive trust, the attacks useing it are real, takeing place today against people who are saying 'I'm useing SSH so of course I'm safe', we aren't talking about a possible future escalation, we are talking about the here and now (IIRC the comprimise of the Debian servers last year was the same thing)

as for your argument about not trusting your keyboard, etc.

that is exactly why a smartcard needs to be fully self contained and not trust the system it's plugged into.

it doesn't nessasarily require any special reader, you could make one that plugged into a PCMCIA/USB/Compact Flash/etc slot (USB is close enough to universal that it's probably the best option right now)

the key is how it's used.

it needs to avoid exposing it's shared secrets to the host machine (you need to allow a host machine to load the key into it, but after that you shouldn't be able to read it back out)

it needs to limit how much it can be used (to keep an attacker from trying to query every possible challange-response pair from it). This could be as simple as limiting it to X authentications/second, or as complex as requiring the user to authorize the smartcard to respond each and every time (say a fingerprint reader on the card, remember you can't trust the computer to not tamper (or copy) with any user input before giving it to you)

and the interface for the device can also be very simple, you just need to feed it a couple pieces of data (the minimum being the challange from the remote site, but adding the userid the challange is for and what the site is claiming to be would allow for multiple usrid's per smartcard and logging in the smartcard which could be useful) and respond with the appropriate response. you could make it look like any sort of device that you want (a serial port or modem would be trivial to get the right interface to for example, and would take advantage of common OS drivers to support it)

the real complication is in handleing the public info and maintaining it on all the servers (which includes key renewal, revocation, etc)

(Log in to post comments)

Transitive Trust is Red Herring

Posted Jul 12, 2005 4:03 UTC (Tue) by rqosa (guest, #24136) [Link]

> IIRC the comprimise of the Debian servers last year was the same thing

According to Martin Schulze, the Debian break-in was done using a sniffed password.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds