TriCipher USB key
From the marketing glossy it would seem they use public key crypto, with two authentications stores. One is on the key and the second is on the Web.
The key is used to authenticate you to the TriCipher key vault on the web. TriCipher then authenticates you to the financial web site. My guess is that you establish an SSL tunnel to TriCipher using a certificate on the key. You then authenticate yourself to TriCipher using
something you know. Then TriCipher somehow authenticates you to the bank and establishes an SSL session between you and the bank that is already authenticated.
My guess is that TriCipher starts as a man-in-the-middle and then somehow hands off the session, maybe a reverse tunnel is established from the bank back to you?
Since you're running software off of the key and your authentication to TriCipher involves a cert and something you know, it's possible to evade key loggers. One method would be for TriCypher to display a captcha image back to the user which the user combines with their pass-phrase to create a one-time key for the session.
But this is all guess work from a marketing glossy. Might be fun to try it out.
Digg
Del.icio.us
Labels:
Internet Security
1 comments:
Michael, thanks for airing my response. I also realize this response is quite long so feel to cut off at the [[break]] below and point the user to my blog (eyedentityonline.com) for the rest or if you don't mind how long this got, post it all as you see fit :-).
==========================
As to the nearly mythical "0wned kiosk" angle, let me address that. Well, it isn't so mythical and I would counsel everyone the same as I do my friends and family... Don't use kiosks to do anything you wouldn't want to print out and leave lying at the workstation when you are done, including the contents of every field, screen, transaction, etc.
Why do I then refer to this case as "mythical"? Because though this is a valid concern at a kiosk, in truth there is nothing that can protect someone on an owned kiosk PC. For argument's sake, let us attach a retina scanner to the kiosk for biometric authentication. Does this make the user on an owned machine secure? No, the attacker merely waits for you to authenticate and then gathers all the data they need and hijacks the session for their own purposes. In another example, there are challenge response mechanisms using detached cards and card readers such as the EMV CAP systems in minimal deployment in Europe that can adequately protect a transaction, but not all of the data in the session.
So now like a good magician having distracted you, I'll answer your question. Yes, just as an owned system can thwart invasive biometrics and expensive out-of-band challenge response or even smart card schemes, an owned system could rip the pertinent contents off the USB housing our ID Tool To Go and of course keylog the password. However, bear in mind that as with all TriCipher 2-factor deployments of which ID Tool To Go is only one, we offer a range of other powerful functions to protect users and their credentials. I'll try to be brief:
[[break]]
Kiosk mode: Yep, we actually take into account the kiosk situation from a couple of angles. Primarily, in many kiosk situations you can't attach a USB or other device and can't run applications that aren't already installed. We permit issuers and relying parties the ability to allow users to login with only their password and either, a) limit the user's rights so that an owned system would then not have a fully privileged credential to perform costly mischief or, b) use one of our secondary authentication mechanisms to gain a second factor.
Secondary authentication: These are useful for a wide variety of situations ranging from password resets to device registration when "roaming" to a new PC to standing in as an alternate 2nd factor in Kiosk Mode. Of course the typical Q&A scenario (KBA, knowledge based authentication) is supported as is out of band SMS, e-mail and various challenge response scripts using the user's telephone (typically mobile phone of course).
Key "rolling": An approach to make theft of the portable device contents as difficult as possible is to change the pertinent bits on the removable device at every login. What does this buy you? Two scenarios: 1) The attacker copies the device, but the victim logs in again before the attacker. The attacker has an out of date set of bits that are useless to him and thus, thwarted. 2) The attacker logs in before the victim next logs in. The victim is apprised that their device is out of synch and that they should take immediate action with the issuer to revoke the credential and investigate for fraud. To our knowledge, this makes this solution the only proactive notification of possible credential compromise available on the market of any kind, let alone in the digital certificate-based credential space.
Last, bear in mind that the ID Tool To Go is just one of many 2-factor mechanisms all served up from a single, centrally deployed and managed system. The end-user has a powerful, fully functional digital certificate-based credential enabling powerful, true, two-way, mutual SSL authentication in a convenient, multi-use form-factor and all for pennies on the dollar of other traditional OTP and smart-card players such as RSA, Verisign, ActivCard, Entrust, etc.
Is ID Tool To Go perfectly invulnerable? No, it is just one of many TriCipher multi-factor form-factors running within the matrix of security vs. cost vs. usability.
If I insert my USB key into an 0wned system, can that system rip the token from the key and log my password?
Post a Comment