Forgot your password?
typodupeerror
Security Hardware

Hardware Based OpenID Service Available 119

Posted by ScuttleMonkey
from the welcome-to-your-next-new-buzzword dept.
An anonymous reader writes "TrustBearer Labs has announced a new service that lets you use various hardware based security tokens like smartcards and biometric devices with OpenID. A hardware based connection to OpenID allows higher levels of security and makes it easier for the end-user to control their credentials. OpenID is a decentralized cross-site authentication system that has been gaining momentum for quite a while now with major supporters like AOL, Google and Microsoft already announced."
This discussion has been archived. No new comments can be posted.

Hardware Based OpenID Service Available

Comments Filter:
  • I believe this already exists with verasigns pip https://pip.verisignlabs.com/ [verisignlabs.com] . In this you have a hardware key that rotates it's numbers every 30 seconds.
    • Re: (Score:3, Interesting)

      by cybereal (621599)
      I have this verisign pip setup and have a key. It is essentially human delivered asymmetrical authentication. It's great security; plus, it works with the $5 keyfob from PayPal!
      • by ohtani (154270)
        It used to be completely free for folks with business accounts like I have. They apparently stopped that promotion but I managed to get mine for free when they were still doing it.
        • by cybereal (621599)

          It used to be completely free for folks with business accounts like I have. They apparently stopped that promotion but I managed to get mine for free when they were still doing it.

          Still $5 was awesome compared to verisign's price of around $30. On top of that, I had almost $5 sitting in my paypal balance and no use for it so in my very human mind ;) it was basically 75 cents.

          Now if someone would just start using OpenID. Almost nothing useful consumes OpenID yet! I have one site that I use for work that does, and one "to do" site, toodledo.com, that I used to use for my iPhone todo lists but even that site is rarely visited. That plus about 1000 blog sites seems to be all that co

    • by harningt (1238980)
      Not quite (although it 'could' in theory support it..).. OTP != Strong Cryptographic Authentication IIRR One of RSA's OTP Tokens has been proven to be breakable.
    • by Jeffrey Baker (6191) on Wednesday February 13, 2008 @04:28PM (#22411632)
      That's really not the same at all. With a SmartCard your keys and certs are in your physical control. The key or cert never leaves the card, and crypto operations also are done on the card. With VeriSign, VeriSign enslaves your identity. They own it, and you have to use the RSA token readout to get VeriSign to unlock your identity temporarily. These are fundamentally different operating principles.
      • by Cerebus (10185)
        Private key crypto operations are done on-card. Public key crypto operations are usually done off-card, since the cert is a public instrument and doesn't need to be protected by hardware.
        • Right. And in this case, the certificate never even leaves the provider...so no worries about relying parties getting personal information aside from the nickname that you provide when signing up.
    • by jerel (112066)
      If you want to buy this "FOB", which is functionally identical to RSA's SecureID token, you can purchase it from PayPal, that calls it "Security Key" [paypal.com] for an introductory flat $5, no shipping, or from VeriSign, that calls it "VIP Security Token" [verisign.com] for $30 plus $6 shipping.
      • Re: (Score:2, Informative)

        by jbastress (1239046)

        I'm not sure if you're referring to the TrustBearer Security Token for sale on the site (which is /not/ the only supported device...for example, all US-govt PIV and CAC cards will work), or the PayPal device...but as this seems to be a common misconception, I'd like to clear this up.

        The TrustBearer Security Key is a cryptographic device (with drivers on Windows update) that goes in a USB port. It uses asymmetric cryptography to decrypt a nonce sent by the provider to prove that the user owns the public k

      • by Tony Hoyle (11698)
        I believe that promotion is now over. Going to the paypal site gives the error 'The Security Key is currently not available. Please try again later.' - and has done for the last week.
        • by Tony Hoyle (11698)
          Btw. the verisign link doesn't work. pip.verisign.com doesn't appear to be a hardware based solution, merely an extra username.

          I believe SecurID tokens are getting fairly cheap though.. wonder if it'll work with them.
  • Tell me sales man (Score:1, Flamebait)

    by techpawn (969834)

    It requires no middleware software but rather works through the web browser on Windows, Mac, and Linux platforms
    But will it run on... Oh? It will?!
  • Isn't this like a MAC ID in a rudimentary sense? Aren't those already spoofed? I'm debating whether my tinfoil hat should or shouldn't be on, or whether I should call this one for skepticism.
    • Re: (Score:2, Informative)

      by harningt (1238980)
      Erm... MAC ID is non-changing... In a simple example of how this works, it does a cryptographic challenge-response so you keep a private key...
    • by maxume (22995)
      In the sense that the client sends a blob of ostensibly unique data to the server, yes, this is just like a MAC address.

      In the sense that the client receives a blob of data from the server and returns the result of cryptographically signing that blob, no, it is nothing like a MAC address.
      • by poetmatt (793785)
        I guess what I'm asking is this. I'm not trying to play a "you're right/wrong" as I'd be guessing you know more than the basic knowledge I have of MAC ID's and not trying to compete anyway. But what I means is if this is similar in ideas to a MAC ID and how a MAC ID can itself be faked, wouldn't faking the hardware for this new "open ID verification" create new vulnerabilities?

        I say this because of things like hardware virtualization that will be required to be emulate this hardware...wouldn't that open the
        • by harningt (1238980)
          This is completely different in that a MAC ID is a single piece of unique data that gets thrown around.

          There's no need to do any hardware virtualization for emulation. You just need to use the public RSA algorithms to perform operations.

          Cracking RSA is a huge undertaking requiring massive brute force.
          The entire trick to this thing is that there is a piece of private data on the device that cannot be pulled off without extensive resources.

          Now... if one were to lose your card, even in the remote chan
        • by maxume (22995)
          MAC addresses are intended to be device specific because it is convenient for something like a router to be able to tell different devices apart, even if they are two copies of the same device(this just about sums up my knowledge of MAC addresses). That some people tried to use this as security is a historical accident. The issue is just as you have it, you have to rely on the hardware telling the truth.

          What is being talked about here is this stuff:

          http://en.wikipedia.org/wiki/Security_token [wikipedia.org]

          where the hardwa
          • by poetmatt (793785)
            Hey, I get what you mean. My concerns are the same as that article about RSA though (http://en.wikipedia.org/wiki/RSA#Practical_considerations) . These were the ones that I had in mind. Aren't those methods not exactly foolproof? If information can be gathered, then what? I see 8 different ways listed in the article you provided with which can provide methods to get around the security token. None of which appear impossible to set up with small levels of preparation (compromised machines, man in the midd
            • by maxume (22995)
              I guess it comes down to whether your question/concern is more like "Is it perfect?" or more like "Is it better than a password?". Of course it isn't perfect, but for lots of purposes, a physical token is quite a lot better than a password. As you say, no one really knows how hard it is to compromise the physical tokens(you sort of can't until you have done it), but there are plenty of people who think it is hard enough.
  • Emulation? (Score:2, Insightful)

    by KublaiKhan (522918)
    I can appreciate the notion of a hardware dongle of some kind to prove you are you, but right away I can see an easy way around it.

    Once the key has been reverse-engineered, a software emulation thereof can be constructed, and a bit of clever hacking could substitute the software for the hardware.

    Consider MAC address spoofing for what I see as a corollary.
    • by genican1 (1150855)
      or you could just kill them and steal their dongle.
    • Re: (Score:3, Informative)

      by un1xl0ser (575642)
      If the hardware device is any good, it isn't relying on the obscurity of the algorithm as it's security strength. It should be able to stand up to an attack even with a significant (hundreds of thousands) number of known tokens. If that is the case, then you need the seed (IV) of the token you want to impersonate in order to do any damage. That key should be protected like a regular key, and should be resistant to tampering (i.e potted, designed to fail if it is tampered with).

      Now most sites that would be d
      • by rthille (8526)
        I'm still waiting for a smart-card with a tamper prevention system like James Bond's Lotus Esprit.
        • by harningt (1238980)
          What sort of tamper-proof? With smart-cards, if you disect it, its kaput. If you enter your pin bad x times, its dead.
          • There are ways to determine the structure of something without actively 'tampering' with it. Consider the means that art historians use to determine what was painted on the canvas before the work on top was painted, for example.

            Widely available? No, not really. But no security is impossible to crack; I'd like to know exactly how difficult it is to do so before I'd consider forking over for one.
          • by rthille (8526)

            I guess I'm too old for slashdot :-)

            In the movie (don't remember which one, I saw it when I was a kid), Bond's car is parked outside a bad guy's property while he rescues the damsel in distress. As they go back to his car, one of the bad guy's henchmen try to break in. The car explodes in a giant fireball, obviously killing the henchman.
            • by Tony Hoyle (11698)
              So of james bond parks in the street, some scrote decides to smash his window his car blows up taking out nearby cars and buildings and possible a few people with it.

              I'd love to try to get that past the insurance company!
              • by rthille (8526)
                Yeah, something like that. In the movie, the bad guy smashed the driver's side window with the butt of his rifle. It's difficult to speculate, but it seemed that in the bond case, the security system was more about keeping the spy tech from falling into the "wrong hands" than just killing someone who was trying to jack his car (since obviously a blown up car is of no more use than a stolen one :-)
    • Do you talk out of your ass all the time, or only here on Slashdot? If you don't understand the way a smart card works, I would advise not yapping about the "easy way around it" that you just pulled out of your hindquarters.
      • What part of the smart card system precludes emulation?
        • by harningt (1238980)
          Nothing at all. What smart cards bring to the picture is the ability to send data to a device and get processed data back without the ability to see the key that is used to perform said processing.
        • Sure you can emulate the smart card, but not the data on it, which is the important part. I have a PC just like yours but I don't have all the _data_ that's on your PC, so it's not the same.
    • by Sancho (17056)
      I'm by no means an expert on these hardware dongles, but what they usually do is act as a secure private key store. Software on the computer issues a challenge to the dongle, which then computes the response using the private key and sends that response back to the computer. The key never leaves the dongle, and is thus protected. Software spoofing would work, assuming you could get at the key.

      A lot of these dongles are write-only, however. You can write a key to the device, and you can delete the key, b
      • by harningt (1238980)

        ... A lot of these dongles are write-only, however. You can write a key to the device, and you can delete the key, but you can't ever read it back. This prevents attacks where a malicious user steals the fob to extract the key, or where malicious software tries to do the same. They're really quite secure.

        Even better than that, you can make the dongles generate a key so that nothing has ever seen the private key but the dongle from which it holds onto.

      • by emj (15659)
        Yeah, that's how the TPMs work that you can (could?) find in a lot of biz laptops. Great for certifying connections being made from a specific laptop, or for the paranoid being made while that laptop is running.
        • by emj (15659)
          Actually keys aren't stored on the TPM, they are stored encrypted on your hardrive and you load the keys into the chip which then decrypts the keys with the help of a private key stored on the chip. But the decrypted keys never leave the chip.
  • Paypal has been offering [paypal.com] tokens for a while now (for $5). And they work with Verisign's Personal Identity Provider [verisignlabs.com] service.

    So for $5 you can get a little "football" of a token that will work as an OpenID login for any site that supports open ID.

    • by harningt (1238980)
      The problem with this is that its no fun to have to enter _3_ pieces of data. For security to work in this world, it either has to be no more work for a user, or make it easier. Example usage: * @ site A, enter openid.trustbearer.com as the ID (no need for username since it can be discovered w/ OpenID 2.0) * Redirected to OpenID login page * Enter X digit PIN * Logged in No entering username + password + long ugly number
    • Business accounts get one for free. :)

      Its a very sensible move on Paypal's part.
    • by c_g_hills (110430)
      Unfortunately they are still only available to users in Canada and the U.S.A.. I asked recently and they have no plans to offer it to users in Europe. However, I would much prefer using a one-time code over sms. In theory, I register my cellphone number with my providers (banks, etc) so that I only have one hardware device to look after. If it ever it gets lost, I only have one call to make to report it stolen, instead of having to call up each provider.
      • by Tony Hoyle (11698)
        When I contacted them they said it was because the offer had expired some time ago.

        At least I know the real reason now. Lying toads.

        You can get SecurID tokens for about £50ish from some places but I think they need special (expensive!) Windows based software to work.
  • Privacy Problem (Score:2, Interesting)

    by jswinth (528529)
    Doesn't this create a new privacy problem much like search data? How likely are companies providing the authentication services to create logs of which sites you login to? It is one thing to know what I search on but it is even more invasive to know which sites I actively login to.
    • This is an interesting problem, as I suspect that not everyone will be operating independent OpenID servers. But, as the spec is open, people who know and care (you and I) can avoid this problem.
    • by CSMatt (1175471)
      Well, your ISP already knows this information, unless of course you regularly use Tor to browse the Web. How is this any different?
      • by jswinth (528529)
        It is not cost effective for my ISP to log every DNS lookup or every IP I communicate with. The only way for the government to get at the information is a direct tap. This also only gives you information on my browsing habits from home. If instead you could gets records from my OpenID provider, you could see what membership websites I regularly visit whether it was from home, work, or Starbucks. Working in reverse, lets say that there are VERY BAD websites that operate outside the USA but use OpenID. I
        • This may be an issue with many OpenID sites, but this one in particular dodges your worries.

          Since the certificate you pass to the provider is never released to the relying party (and which regardless doesn't need to have anything tying your identity to it), you are even more anonymous than with traditional username/password authentication -- the only one who knows who you are is you...the provider just knows you by your public key, and the relying party only knows that the provider consistently says that

          • by jswinth (528529)
            Wait... I'm confused. I thought one of the selling points of OpenID was that websites could verify things like your age and/or zipcode without you having to give personal information. Wouldn't my provider need to know who I am in order provide such information? Or is OpenID going to be one of those completely untrusted information things where 50-year-old men have ID's that say they are 14-year-old girls?
            • Age would be one of the pieces of optional metadata that can be provided to the relying party if it is ever collected...if, for example, a web site wanted to authenticate someone's age but the provider did not provide that about a user, it would reject the authentication on those grounds. The TrustBearer site only asks for your nickname and email address, so that's all it could conceivably release to the relying party, and I don't think the email address is even released...and so far, it seems like that's

            • by harningt (1238980)
              OpenID doesn't have any type of personal information. It's SReg and Attribute Exchange extensions help you autofill registration forms that may need more data than a simple identity, but no provider is expected to validate this information... thus no Relying Party should trust it more than a user filling in data.

              OpenID has one purpose, provide a secured unique identity while optionally passing on user-provided information.
  • I have a Verisign Personal Identity Provider (PIP) which is free as an OpenID identifier, but unfortunalely OpenID isn't much available today. However, I would be willing to get a Security Token from VeriSign if I rely on my OpenID to access most of my Internet account.
  • 1. Find out there's a new emerging standard
    2. Get involved using overwhelming marketshare
    3. Introduce proprietary fucked-up implementation
    4. Profit

    same old story...
    • by harningt (1238980)
      They're in this to make their CardSpace more appealing.... but Microsoft has nothing to do with this system.
    • by triso (67491)

      1. Find out there's a new emerging standard
      2. Get involved using overwhelming marketshare
      3. Introduce proprietary fucked-up implementation
      4. Profit ...
      Sometimes, 2) and 3) are reversed. For example: the MS JVM, HTML in IE and the MS version of Kerberos.
  • by Bogtha (906264) on Wednesday February 13, 2008 @04:40PM (#22411762)

    The is something I was trying to explain the last time OpenID came up on Slashdot. Because authentication isn't done by the websites and web applications themselves, it means users can shop around for an authentication system that suits them, and none of the websites or web applications that you log into need worry about it. If/when OpenID starts to become mainstream, I'd expect to see a lot of interesting work done on authentication. A hardware scheme like this isn't feasible if you have to persuade each individual website and web application provider to implement it.

    So, when can we log into Slashdot with our OpenIDs? Has there been any word on the subject at all from Taco et al?

    • by xenocide2 (231786)
      Which sounds great, until you realize that for-pay web apps would shudder to adopt a scheme that allows transparent anonymous logins [www.jkg.in].
      • by ballwall (629887)
        I don't think it works like that.

        It would be more like, I go to my profile page 'ballwall' and there's a field for my openID username[s]. After I populate that I can log in with that or my regular slashdot id. I'd imagine that once you've successfully logged in via openID that you would be able to disable normal password auth altogether.

        I'd really love to see this get widespread use. I really really want to use two factor authentication everywhere. I very much dislike having to manage a ton of passwords.

        In
        • by xenocide2 (231786)
          Right. So you set ballwall to authenticate against whatever openID server. And then tell all your friends about your WSJ subscription. OpenID is not intended to be two factor identification. It's intended to address the explosion in websites (blogs, mostly) that request / require accounts for some reason.

          But there was a challenge that was offering a couple thousand to whoever could get openID support into popular tools. Donno if slashcode's included.
          • by Bogtha (906264)

            Right, and what's stopping you from sharing accounts now, without OpenID? This isn't a problem that OpenID introduces, it's a problem that's always been there.

      • by Tony Hoyle (11698)
        Pay for web apps would probably only allow verisign paid openids.

        Anyone can create a random SSL certificate as well... the can't be used for anything.

        Now slashdot allowing those anonymous openids... that would enable drive-by trolling. Login using anonymous temporary openid, say something rude about Linux, log out, wash, rinse, repeat.
        • by mdwh2 (535323)
          Login using anonymous temporary openid, say something rude about Linux, log out, wash, rinse, repeat.

          Last time I looked, Slashdot already allowed anonymous comments. Yes I would expect the anonymous bonus modifers for those that use them to also apply to default OpenID comments, otherwise that would be a bug. The implementations I've seen such as on LiveJournal do treat OpenID as anonymous as far as things like comment settings are concerned, so I don't know why you persist with this strawman argument.
  • REMOTE_USER (Score:4, Interesting)

    by thanasakis (225405) on Wednesday February 13, 2008 @04:46PM (#22411842)
    As long as the openid provider (the party that provides the identity by utilizing an authentication mechanism) can access the the REMOTE_USER env variable or something equivalent, it can perform its duty normally. I think it is really not important whether there is username/password based authentication or PKI authentication using soft tokens or hardware crypto tokens or biometric authentication or one time passwords or whatever else. It is up to the implementor of the service to decide what kind of authentication will be used according to his/her requirements. Using an external authentication mechanism can slightly perplex the situation on how logout is performed (as it is dependent on the auth mechanism) or on how attribute based authorization is being carried out.

    But overall it gives great flexibility to the implementor because he/she can layout a scheme were existing authentication/authorization infrastructures (like an institution's LDAP for example) can be used in a cross platform way to offer web based identity.

  • I worry whenever I see the word 'trust' juxtaposed with OpenID. I worry that organizations will misuse OpenID, and ignore its purpose: only provide an identification for a person, nothing else. It doesn't certify the person's character, background, politics, or financial base. If I say that I am user@server, then OpenID is just a bit of evidence supporting that. That's all.
    • by harningt (1238980)

      I worry whenever I see the word 'trust' juxtaposed with OpenID. I worry that organizations will misuse OpenID, and ignore its purpose: only provide an identification for a person, nothing else. It doesn't certify the person's character, background, politics, or financial base. If I say that I am user@server, then OpenID is just a bit of evidence supporting that. That's all.

      How would one certify said information? OpenID does offer an 'SReg' and Attribute Exchange to help provide additional information to OpenID consumers... There is no vetting. What you're thinking of is CardSpace where certifications of such information is built into it.

  • Call me old fashioned, but I like the idea of not having to use central authentication to log into websites. What if my OpenID information is compromised? If each site has its own authentication, I can use separate usernames and passwords to safeguard my accounts. If one is compromised, then only the account at that site is at risk. But if my OpenID information is compromised, then others can log into any site that uses my OpenID information.
    • Re: (Score:3, Insightful)

      by sloth jr (88200)
      Agreed. However, I think in practice, most users use only one or two passwords to login to the vast majority of websites. OpenID thus seems to simply codify this "truism", if I'm on-base. While a centralized password might make mass ownage of websites possible, it should also be simple to shutdown that account across a wide swath of websites more or less instantly.

      sloth jr
      • Re: (Score:3, Interesting)

        by CSMatt (1175471)
        True, but that relies on the original account holder to know that they have been compromised to begin with. Given the amount of identity fraud victims that don't even know that they are victims until it's too late (although I would imagine that number has gone down in recent years with recent awareness of identity fraud), it's not too hard to imagine that there are several account holders online who don't even know that someone has guessed their password, especially if the account holder has abandoned the
    • Re: (Score:3, Insightful)

      by Aladrin (926209)
      And nobody is stopping you from doing that. Get multiple OpenIDs. Get them from different providers, if you like. You can still do it your way while the lazy ones (me included) use single sign-on and makes our lives a little simpler.
    • by mdwh2 (535323)
      Do you have several different email accounts, out of fear that if one email account is compromised, they can send out emails to everyone you know?

      Do you think Jabber is a bad idea, because then if that's compromised, they can pretend to be you when chatting to anyone, but AIM, Yahoo and MSN are safer because they are separate?

      I think you misunderstand what OpenID is. it's not a "central authentication". It's just a way that means you can use your login to identity to other sites. Just like my gmail email ac
  • by IGnatius T Foobar (4328) on Wednesday February 13, 2008 @05:30PM (#22412398) Homepage Journal
    I would like to use OpenID as a "single sign on" solution for a wide range of services. The problem I see right now is that it's only viable for web based services. Does the OpenID technology have a way (or is planning one) to authenticate when the client is something other than a web browser? I'm thinking things like IMAP/SMTP mail, console mode login (ssh/telnet), etc. etc.
    • by chappel (1069900)
      I'm looking for the same thing - but I'd like to leverage the hardware component, too. Is there a reasonably convenient way to use the RSA keys or something else on one of the 'trustbearer' devices? Having single-sign on to a handful of websites would be handy, but I'm more interested in tighter security for non-web stuff. If it is supported by OpenID I'd say that's a bonus.
      • We may have a solution (free, of course) that will do exactly what you're asking for. Write info@trustbearer.com with "TrustBearer Token" in the subject and mention this post, and we'll hook you up.
  • allows higher levels of security

    Security authentication is based on three possible factors: something you know (like a password), something you have (like a smartcard), or something you are (like biometrics). Now, if these things will be used in addition to passwords, that would indeed take the authentication factors from single to double. But, as is usually the case, they just replace passwords with smartcards or dongles. So there would be no increase in security at all.

    • To unlock the private key on the device that you have, you need to know the PIN...so that's two-factor.

      For the biometric devices, there are two options: either the biometric replaces the PIN, or you need to swipe and type.

  • When I read this story, I decide to get my Thinkpad fingerprint working [roysdon.net].

    So ThinkFinger stores 3 copies of what my finger looks like on my local PC. That makes sense for auth on a local machine. How does this work on an enterprise scale? Is the fingerprint details sent to a remote central storage system which then confirms a match?

    If that assumption is correct, how would OpenID-enabled websites work with that? Would your account somehow point to your OpenID "provider" which would have your fingerprint to
    • TrustBearer supports two fingerprint readers: one supports both Match on Card (MoC), Match on Reader, and Match on Server. The other is a standalone device that matches your fingerprint on the device itself.

      The Match on Server solution is what you are describing, but this raises privacy, policy and integration concerns. In the other two situations, the fingerprint "image" is stored in write-only memory on the device. When you swipe your finger, the image goes straight to the device which then tries to mat

      • by jroysdon (201893)
        But then the downside to MoC or MoR is that it only works at that one location (or you have to push it out to all the PCs you want it on). If I have multiple PCs or even public terminals I want to authenticate from, it's no good, right?

        Also, by storing the fingerprint on the PC, the PC's physical security is a big deal - the same that is true of a private/secret key for SSH or GPG. But at least with GPG I can revoke a public key (and have stored revokes ready to go already) and/or time expirations. With
        • Actually, MoC (which is preferred over Match on Reader, and equivalent FAPP to match on device) stores the fingerprint on the card itself -- in write-only memory, so it can't ever be read...it can only be used by the card/device itself for matching a live swipe.

          It's cool that you mention public keys, because that's really what this is all about. When you match your print on the card/device, it allows your private key to be used for a decryption/signature operation, which is what really used to authentica

  • Why is it they always neglect to mention how much they want to suck out of your pocket for their "latest achievement". Also beware, using the site requires you to trust their marketing droids to code java securely in order to get any details. I see nothing on the page that requires anything more complicated than standard HTML with hyper-links.
    • Actually, those with existing devices (for example, the 6 million people in the US with PIV or CAC cards) can use those at no cost. The tokens for sale on the site are for those who don't already have one.

      Also, where's the Java that you're referring to?

10.0 times 0.1 is hardly ever 1.0.

Working...