PDAs and ssh and security [LWN.net]

PDAs and ssh and security

Posted Dec 11, 2003 23:02 UTC (Thu) by eli (subscriber, #11265)
In reply to: ssh and security by dlang
Parent article: ssh and security

As an admittedly partial step in the direction you describe in your letter, you might
consider that many developers have PDAs that could be used in the
challenge-response process. Have a key on the pda and generate the response
from it (and maybe the time). (I'm envisioning the pda displaying it for the user to
enter.)

I store my passwords on my PDA (encrypted with a master password), so this would
be the next logical step. I'd feel a whole lot better with a setup like that for my home
PCs.

Thoughts?

(Log in to post comments)

PDAs and ssh and security

Posted Dec 12, 2003 22:47 UTC (Fri) by dlang (subscriber, #313) [Link]

a PDA does a good job of this and can replace a hardware token.

ASSUMING that the contents of the PDA are secured appropriatly.

for example if the application checks your password and then if it matches gives you access to a datafile someone else can get access to the data if you sync it to your desktop.

however if the data on the PDA is encrypted with no encryption key ever stored on the PDA then it's much better

for example if you need to store a 64 bit key on the PDA the best way I've seen is to ask the user for a PIN and then encrypt the key useing that PIN and store the result, when the user needs to access the key have them enter a PIN and use that to decrypt the key, the thing that makes this work is that the key is a random binary blob, an attacker has no way of knowing if it decrypted sucessfully or not, the only way to know is to attempt to use it to access another system. this means that even with a 4 digit PIN it will take an average of 500 login attempts to find that it's right, giveing you a chance to notice (to many bad login protection)