-
Created by
Phil Benchoff, last updated on Dec 05, 2007
2 minute read
Comments on alternate technologies versus certificates on smart devices.
Use of alternate technologies may mean several things:
- use of alternate technologies to authenticate to a system - no certificates of private keys.
- use of alternate technologies to access a private key stored on a host.
- use of alternate technologies to authenticate to a token (e.g. biometric replaces the PIN).
In general, a certificate and private key secured on a smart device can be used for:
- authentication
- signature
- encryption
The smart device itself is a dedicated and tamper resistant microcomputer to which the user has only limited access. Most significant is that private keys stored on the device cannot be directly accessed or copied by an external system. All interactions with private keys occur by sending data to the device which then operates on the data and returns the result. The user must enter a PIN before the private key can be used in this way.
Private keys can either be generated on the device (in which case the device holds the only copy) or they can be generated on some other system and copied to the device (where they can't be removed). The former process is used for keys used for signature or authentication in order to support non-repudiation. The latter can be used for encryption keys if an escrow or backup copy is kept.
- biometric systems require a signed credential - a certificate
Alternate Authentication Mechanism
No smart device, no certificate.
- Not useful for signing data.
- Not portable between systems.
Certificate/Private Key on Host
A certificate/key pair stored on a host with access
- Many more vulnerabilities to host issues
- Ties the user to hosts where the certificate/key are stored
- Can be copied by the user
- Weaker in the area of non-repudiation.
Token Supporting Alternate Authentication
Tokens that use something other than a PIN for user login to the token.
- Generally more expensive than other tokens
- Does nothing to address loss of the token.
Token/Card advantages
- Supported on many platforms
- Private keys cannot be copied from the device