Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

Comments: 119 +-   Hardware Based OpenID Service Available on Wednesday February 13 2008, @04:00PM

Posted by ScuttleMonkey on Wednesday February 13 2008, @04:00PM
from the welcome-to-your-next-new-buzzword dept.
security
hardware
An anonymous reader writes "TrustBearer Labs has announced a new service that lets you use various hardware based security tokens like smartcards and biometric devices with OpenID. A hardware based connection to OpenID allows higher levels of security and makes it easier for the end-user to control their credentials. OpenID is a decentralized cross-site authentication system that has been gaining momentum for quite a while now with major supporters like AOL, Google and Microsoft already announced."
story

Related Stories

Submission: Hardware Based OpenID Service Available by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Hardware Based OpenID Service Available 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • I believe this already exists with verasigns pip https://pip.verisignlabs.com/ [verisignlabs.com] . In this you have a hardware key that rotates it's numbers every 30 seconds.

    • Re: (Score:3, Interesting)

      by cybereal (621599)
      I have this verisign pip setup and have a key. It is essentially human delivered asymmetrical authentication. It's great security; plus, it works with the $5 keyfob from PayPal!

    • Re:Anything like verasigns pip? (Score:5, Informative)

      by Jeffrey Baker (6191) on Wednesday February 13 2008, @04:28PM (#22411632)
      That's really not the same at all. With a SmartCard your keys and certs are in your physical control. The key or cert never leaves the card, and crypto operations also are done on the card. With VeriSign, VeriSign enslaves your identity. They own it, and you have to use the RSA token readout to get VeriSign to unlock your identity temporarily. These are fundamentally different operating principles.
      • Private key crypto operations are done on-card. Public key crypto operations are usually done off-card, since the cert is a public instrument and doesn't need to be protected by hardware.

      • Re: (Score:2, Informative)

        by jbastress (1239046)

        I'm not sure if you're referring to the TrustBearer Security Token for sale on the site (which is /not/ the only supported device...for example, all US-govt PIV and CAC cards will work), or the PayPal device...but as this seems to be a common misconception, I'd like to clear this up.

        The TrustBearer Security Key is a cryptographic device (with drivers on Windows update) that goes in a USB port. It uses asymmetric cryptography to decrypt a nonce sent by the provider to prove that the user owns the public k

      • I believe that promotion is now over. Going to the paypal site gives the error 'The Security Key is currently not available. Please try again later.' - and has done for the last week.
        • Btw. the verisign link doesn't work. pip.verisign.com doesn't appear to be a hardware based solution, merely an extra username.

          I believe SecurID tokens are getting fairly cheap though.. wonder if it'll work with them.
  • Isn't this like a MAC ID in a rudimentary sense? Aren't those already spoofed? I'm debating whether my tinfoil hat should or shouldn't be on, or whether I should call this one for skepticism.

    • Re: (Score:2, Informative)

      by harningt (1238980)
      Erm... MAC ID is non-changing... In a simple example of how this works, it does a cryptographic challenge-response so you keep a private key...
      • I guess what I'm asking is this. I'm not trying to play a "you're right/wrong" as I'd be guessing you know more than the basic knowledge I have of MAC ID's and not trying to compete anyway. But what I means is if this is similar in ideas to a MAC ID and how a MAC ID can itself be faked, wouldn't faking the hardware for this new "open ID verification" create new vulnerabilities?

        I say this because of things like hardware virtualization that will be required to be emulate this hardware...wouldn't that open the
          • Hey, I get what you mean. My concerns are the same as that article about RSA though (http://en.wikipedia.org/wiki/RSA#Practical_considerations) . These were the ones that I had in mind. Aren't those methods not exactly foolproof? If information can be gathered, then what? I see 8 different ways listed in the article you provided with which can provide methods to get around the security token. None of which appear impossible to set up with small levels of preparation (compromised machines, man in the midd
  • I can appreciate the notion of a hardware dongle of some kind to prove you are you, but right away I can see an easy way around it.

    Once the key has been reverse-engineered, a software emulation thereof can be constructed, and a bit of clever hacking could substitute the software for the hardware.

    Consider MAC address spoofing for what I see as a corollary.

    • Re: (Score:3, Informative)

      by un1xl0ser (575642)
      If the hardware device is any good, it isn't relying on the obscurity of the algorithm as it's security strength. It should be able to stand up to an attack even with a significant (hundreds of thousands) number of known tokens. If that is the case, then you need the seed (IV) of the token you want to impersonate in order to do any damage. That key should be protected like a regular key, and should be resistant to tampering (i.e potted, designed to fail if it is tampered with).

      Now most sites that would be d
      • I'm still waiting for a smart-card with a tamper prevention system like James Bond's Lotus Esprit.

          • I guess I'm too old for slashdot :-)

            In the movie (don't remember which one, I saw it when I was a kid), Bond's car is parked outside a bad guy's property while he rescues the damsel in distress. As they go back to his car, one of the bad guy's henchmen try to break in. The car explodes in a giant fireball, obviously killing the henchman.
            • So of james bond parks in the street, some scrote decides to smash his window his car blows up taking out nearby cars and buildings and possible a few people with it.

              I'd love to try to get that past the insurance company!
    • Do you talk out of your ass all the time, or only here on Slashdot? If you don't understand the way a smart card works, I would advise not yapping about the "easy way around it" that you just pulled out of your hindquarters.
        • Sure you can emulate the smart card, but not the data on it, which is the important part. I have a PC just like yours but I don't have all the _data_ that's on your PC, so it's not the same.
    • I'm by no means an expert on these hardware dongles, but what they usually do is act as a secure private key store. Software on the computer issues a challenge to the dongle, which then computes the response using the private key and sends that response back to the computer. The key never leaves the dongle, and is thus protected. Software spoofing would work, assuming you could get at the key.

      A lot of these dongles are write-only, however. You can write a key to the device, and you can delete the key, b
      • Yeah, that's how the TPMs work that you can (could?) find in a lot of biz laptops. Great for certifying connections being made from a specific laptop, or for the paranoid being made while that laptop is running.
        • Actually keys aren't stored on the TPM, they are stored encrypted on your hardrive and you load the keys into the chip which then decrypts the keys with the help of a private key stored on the chip. But the decrypted keys never leave the chip.

  • Paypal has been offering [paypal.com] tokens for a while now (for $5). And they work with Verisign's Personal Identity Provider [verisignlabs.com] service.

    So for $5 you can get a little "football" of a token that will work as an OpenID login for any site that supports open ID.

    • Business accounts get one for free. :)

      Its a very sensible move on Paypal's part.
    • Unfortunately they are still only available to users in Canada and the U.S.A.. I asked recently and they have no plans to offer it to users in Europe. However, I would much prefer using a one-time code over sms. In theory, I register my cellphone number with my providers (banks, etc) so that I only have one hardware device to look after. If it ever it gets lost, I only have one call to make to report it stolen, instead of having to call up each provider.
      • When I contacted them they said it was because the offer had expired some time ago.

        At least I know the real reason now. Lying toads.

        You can get SecurID tokens for about £50ish from some places but I think they need special (expensive!) Windows based software to work.
  • Doesn't this create a new privacy problem much like search data? How likely are companies providing the authentication services to create logs of which sites you login to? It is one thing to know what I search on but it is even more invasive to know which sites I actively login to.
    • This is an interesting problem, as I suspect that not everyone will be operating independent OpenID servers. But, as the spec is open, people who know and care (you and I) can avoid this problem.
    • Well, your ISP already knows this information, unless of course you regularly use Tor to browse the Web. How is this any different?
  • 1. Find out there's a new emerging standard
    2. Get involved using overwhelming marketshare
    3. Introduce proprietary fucked-up implementation
    4. Profit

    same old story...

  • Decoupled authentication (Score:5, Informative)

    by Bogtha (906264) on Wednesday February 13 2008, @04:40PM (#22411762)

    The is something I was trying to explain the last time OpenID came up on Slashdot. Because authentication isn't done by the websites and web applications themselves, it means users can shop around for an authentication system that suits them, and none of the websites or web applications that you log into need worry about it. If/when OpenID starts to become mainstream, I'd expect to see a lot of interesting work done on authentication. A hardware scheme like this isn't feasible if you have to persuade each individual website and web application provider to implement it.

    So, when can we log into Slashdot with our OpenIDs? Has there been any word on the subject at all from Taco et al?

    • Which sounds great, until you realize that for-pay web apps would shudder to adopt a scheme that allows transparent anonymous logins [www.jkg.in].
      • I don't think it works like that.

        It would be more like, I go to my profile page 'ballwall' and there's a field for my openID username[s]. After I populate that I can log in with that or my regular slashdot id. I'd imagine that once you've successfully logged in via openID that you would be able to disable normal password auth altogether.

        I'd really love to see this get widespread use. I really really want to use two factor authentication everywhere. I very much dislike having to manage a ton of passwords.

        In
        • Right. So you set ballwall to authenticate against whatever openID server. And then tell all your friends about your WSJ subscription. OpenID is not intended to be two factor identification. It's intended to address the explosion in websites (blogs, mostly) that request / require accounts for some reason.

          But there was a challenge that was offering a couple thousand to whoever could get openID support into popular tools. Donno if slashcode's included.
      • Pay for web apps would probably only allow verisign paid openids.

        Anyone can create a random SSL certificate as well... the can't be used for anything.

        Now slashdot allowing those anonymous openids... that would enable drive-by trolling. Login using anonymous temporary openid, say something rude about Linux, log out, wash, rinse, repeat.

  • REMOTE_USER (Score:4, Interesting)

    by thanasakis (225405) on Wednesday February 13 2008, @04:46PM (#22411842)
    As long as the openid provider (the party that provides the identity by utilizing an authentication mechanism) can access the the REMOTE_USER env variable or something equivalent, it can perform its duty normally. I think it is really not important whether there is username/password based authentication or PKI authentication using soft tokens or hardware crypto tokens or biometric authentication or one time passwords or whatever else. It is up to the implementor of the service to decide what kind of authentication will be used according to his/her requirements. Using an external authentication mechanism can slightly perplex the situation on how logout is performed (as it is dependent on the auth mechanism) or on how attribute based authorization is being carried out.

    But overall it gives great flexibility to the implementor because he/she can layout a scheme were existing authentication/authorization infrastructures (like an institution's LDAP for example) can be used in a cross platform way to offer web based identity.

  • I worry whenever I see the word 'trust' juxtaposed with OpenID. I worry that organizations will misuse OpenID, and ignore its purpose: only provide an identification for a person, nothing else. It doesn't certify the person's character, background, politics, or financial base. If I say that I am user@server, then OpenID is just a bit of evidence supporting that. That's all.
  • Call me old fashioned, but I like the idea of not having to use central authentication to log into websites. What if my OpenID information is compromised? If each site has its own authentication, I can use separate usernames and passwords to safeguard my accounts. If one is compromised, then only the account at that site is at risk. But if my OpenID information is compromised, then others can log into any site that uses my OpenID information.

    • Re: (Score:3, Insightful)

      by sloth jr (88200)
      Agreed. However, I think in practice, most users use only one or two passwords to login to the vast majority of websites. OpenID thus seems to simply codify this "truism", if I'm on-base. While a centralized password might make mass ownage of websites possible, it should also be simple to shutdown that account across a wide swath of websites more or less instantly.

      sloth jr

      • Re: (Score:3, Interesting)

        by CSMatt (1175471)
        True, but that relies on the original account holder to know that they have been compromised to begin with. Given the amount of identity fraud victims that don't even know that they are victims until it's too late (although I would imagine that number has gone down in recent years with recent awareness of identity fraud), it's not too hard to imagine that there are several account holders online who don't even know that someone has guessed their password, especially if the account holder has abandoned the

    • Re: (Score:3, Insightful)

      by Aladrin (926209)
      And nobody is stopping you from doing that. Get multiple OpenIDs. Get them from different providers, if you like. You can still do it your way while the lazy ones (me included) use single sign-on and makes our lives a little simpler.

  • OpenID for non web clients? (Score:3, Interesting)

    by IGnatius T Foobar (4328) on Wednesday February 13 2008, @05:30PM (#22412398) Homepage Journal
    I would like to use OpenID as a "single sign on" solution for a wide range of services. The problem I see right now is that it's only viable for web based services. Does the OpenID technology have a way (or is planning one) to authenticate when the client is something other than a web browser? I'm thinking things like IMAP/SMTP mail, console mode login (ssh/telnet), etc. etc.

  • allows higher levels of security

    Security authentication is based on three possible factors: something you know (like a password), something you have (like a smartcard), or something you are (like biometrics). Now, if these things will be used in addition to passwords, that would indeed take the authentication factors from single to double. But, as is usually the case, they just replace passwords with smartcards or dongles. So there would be no increase in security at all.

  • When I read this story, I decide to get my Thinkpad fingerprint working [roysdon.net].

    So ThinkFinger stores 3 copies of what my finger looks like on my local PC. That makes sense for auth on a local machine. How does this work on an enterprise scale? Is the fingerprint details sent to a remote central storage system which then confirms a match?

    If that assumption is correct, how would OpenID-enabled websites work with that? Would your account somehow point to your OpenID "provider" which would have your fingerprint to
      • But then the downside to MoC or MoR is that it only works at that one location (or you have to push it out to all the PCs you want it on). If I have multiple PCs or even public terminals I want to authenticate from, it's no good, right?

        Also, by storing the fingerprint on the PC, the PC's physical security is a big deal - the same that is true of a private/secret key for SSH or GPG. But at least with GPG I can revoke a public key (and have stored revokes ready to go already) and/or time expirations. With
    • OpenID can only prove that you own a certain url, nothing more, nothing less. Here's how it works:
      • I go to a site (we'll call it the consumer) that uses OpenID
      • I type my openid, let's say http://slashdot.org/~user345 [slashdot.org]
      • The consumer fetches http://slashdot.org/~user345 [slashdot.org] and looks for specific pattern in the file (never mind the details). That pattern provides a server url (we'll call it the provider)
      • The consumer redirects my browser to the provider with some specific GET arguments.
      • I authenticate myself to the pro

      • Re: (Score:3, Interesting)

        by Tony Hoyle (11698)
        The difference is that the person I'm replying to knows I own that OpenID account, rather than me just being a random anonymous person.

        No, it knows nothing. OpenID has no trust, so they could have just visited http://www.jkg.in/openid/ [www.jkg.in] and generated one for that purpose.

        OpenID says zero about who you really are. You are an anonymous user - which is why it would be crazy for a site which previously required registration to allow OpenID users to post simply based on the existence of that token. You're goin
        • It relies on providers cooperating with each other - clearly the sites the other poster tried had not agreed to share users. You're going to need multiple openid's anyway.. some of which will be chargable (this much is admitted on the openid site.. you can bet verisign are itching to charge a fortune for 'secure' openids and charge double for 'super secure assured' openids).

          Saying the users from one blog work on another blog isn't saying much. When I can log into slashdot and my bank with the same ID then
Search
When you try to make an impression, the chances are that is the impression you will make.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.