Cycling and bicycle discussion forums. 
   Click here to join our community Log in to access your Control Panel  


Go Back   > >

Foo Off-Topic chit chat with no general subject.

User Tag List

Reply
 
Thread Tools Search this Thread
Old 03-13-07, 05:05 PM   #1
mlts22 
Senior Member
Thread Starter
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Help explaining something to people

For an academic project I am doing, I am using a number of Aladdin eTokens to show off to people why two-factor security is better than just a single password.

However, I keep running into this one question that takes forever to explain to people. Most everyone asks "Why do I need this token to store my private key? Why can't I use a USB thumbdrive?"

Nowhere have I found a good guide explaining the fact that the difference between a USB drive and a cryptographic token (like an Aladdin eToken) is the fact that the USB flash drive just does I/O such as block reads and writes. The computer reads the private key from the flash drive then performs the decryption/signing. The use of a smart card is totally different. The smart card does the decryption and signing on the card itself when requested to by the host computer. The host computer passes the encrypted data to the card, and takes the decrypted data when its processed. Nowhere does the private key get read to the host computer, so if someone compromises the host computer, the private key cannot be obtained. This is in contrast of storing a private key on a USB thumbdrive where the private key can be easily and undetectably read off by malware.

Of course, if I explain this to people, their eyes glaze over. (which is fine and I'm not trying to sound superior than other people, as not everyone needs to be a cryptographic geek.) I just want them to understand why this piece of plastic that plugs into a USB port gives them more security than just punching in a password.
mlts22 is offline   Reply With Quote
Old 03-13-07, 05:16 PM   #2
monogodo
NFL Owner
 
monogodo's Avatar
 
Join Date: Sep 2004
Location: Irving Heritage District
Bikes: 7-Eleven Eddy Merckx, Vitus Futural, Catamount FRS, Colnago SL, SS MTB
Posts: 1,489
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Have you tried simplifying your explanation so that a small child could understand?
monogodo is offline   Reply With Quote
Old 03-13-07, 05:17 PM   #3
ax0n
Trans-Urban Velocommando
 
ax0n's Avatar
 
Join Date: Nov 2006
Location: Lenexa, KS
Bikes: 06 Trek 1200 - 98 DB Outlook - 99 DB Sorrento
Posts: 2,400
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Tell them that since the magic happens all on the plastic thingy instead of on the computer, it's safer from viruses and spyware that can compromise the computer's integrity.
ax0n is offline   Reply With Quote
Old 03-13-07, 05:19 PM   #4
Tom Stormcrowe
Out fishing with Annie on his lap, a cigar in one hand and a ginger ale in the other, watching the sunset.
 
Tom Stormcrowe's Avatar
 
Join Date: Mar 2006
Location: South Florida
Bikes: Techna Wheelchair and a Sun EZ 3 Recumbent Trike
Posts: 16,120
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by mlts22
For an academic project I am doing, I am using a number of Aladdin eTokens to show off to people why two-factor security is better than just a single password.

However, I keep running into this one question that takes forever to explain to people. Most everyone asks "Why do I need this token to store my private key? Why can't I use a USB thumbdrive?"

Nowhere have I found a good guide explaining the fact that the difference between a USB drive and a cryptographic token (like an Aladdin eToken) is the fact that the USB flash drive just does I/O such as block reads and writes. The computer reads the private key from the flash drive then performs the decryption/signing. The use of a smart card is totally different. The smart card does the decryption and signing on the card itself when requested to by the host computer. The host computer passes the encrypted data to the card, and takes the decrypted data when its processed. Nowhere does the private key get read to the host computer, so if someone compromises the host computer, the private key cannot be obtained. This is in contrast of storing a private key on a USB thumbdrive where the private key can be easily and undetectably read off by malware.

Of course, if I explain this to people, their eyes glaze over. (which is fine and I'm not trying to sound superior than other people, as not everyone needs to be a cryptographic geek.) I just want them to understand why this piece of plastic that plugs into a USB port gives them more security than just punching in a password.
Simple demonstration.......crack a password with a random character generator or whatever.Then show the same attempt with the secondary protocol device.
__________________
. “He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you.”- Fredrick Nietzsche

"We can judge the heart of a man by his treatment of animals." - Immanuel Kant
Tom Stormcrowe is offline   Reply With Quote
Old 03-13-07, 05:32 PM   #5
mlts22 
Senior Member
Thread Starter
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by ax0n
Tell them that since the magic happens all on the plastic thingy instead of on the computer, it's safer from viruses and spyware that can compromise the computer's integrity.
That is probably the best explaination. Explaining the concept to children would be easier, as most children these days would just interrupt me, and state that 2048 bit keys on a token is insecure, especially if the NSA made a TWIRL machine to help speed up factoring.
mlts22 is offline   Reply With Quote
Old 03-13-07, 06:09 PM   #6
DannoXYZ 
Senior Member
 
DannoXYZ's Avatar
 
Join Date: Jul 2005
Location: Saratoga, CA
Bikes:
Posts: 11,600
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Draw a flowchart diagram, it makes a lot more sense when people see the process step-by-step...
DannoXYZ is offline   Reply With Quote
Old 03-13-07, 07:41 PM   #7
jsharr
You Know!? For Kids!
 
jsharr's Avatar
 
Join Date: Apr 2005
Location: Just NW of Richardson Bike Mart
Bikes: '05 Trek 1200 / '90 Trek 8000 / '? Falcon Europa
Posts: 6,157
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 3 Post(s)
Prior to starting your presentation, threaten to stab them in the eye with a pointed stick if they ask stupid questions. First one to ask about drive thingee gets stabbed, problem solved. Anyone else that asks, just point to the bleeding yelling guy on the floor and explain that you already answered that question.
__________________
Are you a registered member? Why not? Click here to register. It's free and only takes 27 seconds! Help out the forums, abide by our community guidelines.
Quote:
Originally Posted by colorider View Post
Phobias are for irrational fears. Fear of junk ripping badgers is perfectly rational. Those things are nasty.
jsharr is offline   Reply With Quote
Old 03-13-07, 08:03 PM   #8
ax0n
Trans-Urban Velocommando
 
ax0n's Avatar
 
Join Date: Nov 2006
Location: Lenexa, KS
Bikes: 06 Trek 1200 - 98 DB Outlook - 99 DB Sorrento
Posts: 2,400
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
So let me get this straight... There are usually three possible metrics for authentication.

What you know (password, PIN, account number, login)
What you have (token, card, key)
Who you are (Retinal scan, biometric thumbprint, IR thermal map of your hand)

Most things have one factor. BikeForums just goes by what you know (user name and password). So do most combination locks. Cars go by what you have (a physical key). All one factor authentication.

This token is an encrypted device that fulfills the second factor (what you have), right?

You don't need to explain technically what the purpose is. Just tell them that two factor authentication is like having to know a password as well as having a key. Tell them that the reason the token is more secure than a USB key is because it can't be copied because of the encryption, so it is totally unique, much like the high-end keys found on luxury automobiles.


What you know can be passed along. You could intentionally or accidentally disclose your password to 10 people. Those 10 people could all masquerade as you and use your account.

What you have can only exist at one place at one time. If you don't have it, you know you don't have it, which means someone else may have it. 10 people can't use the token at the same time. It's also much easier to keep tabs on physical things (like a USB encrypted token, a set of keys, or your eyeglasses) than it is to keep tabs on your password. A shoulder-surfer can memorize your password but they can't use your token. A keystroke logger can record your password and e-mail it to an attacker, but it can't e-mail a physical device to the attacker.

That is why two factor authentication is more secure.
ax0n is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -6. The time now is 07:02 PM.