Advertise on Bikeforums.net



User Tag List

Results 1 to 8 of 8
  1. #1
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Help explaining something to people

    For an academic project I am doing, I am using a number of Aladdin eTokens to show off to people why two-factor security is better than just a single password.

    However, I keep running into this one question that takes forever to explain to people. Most everyone asks "Why do I need this token to store my private key? Why can't I use a USB thumbdrive?"

    Nowhere have I found a good guide explaining the fact that the difference between a USB drive and a cryptographic token (like an Aladdin eToken) is the fact that the USB flash drive just does I/O such as block reads and writes. The computer reads the private key from the flash drive then performs the decryption/signing. The use of a smart card is totally different. The smart card does the decryption and signing on the card itself when requested to by the host computer. The host computer passes the encrypted data to the card, and takes the decrypted data when its processed. Nowhere does the private key get read to the host computer, so if someone compromises the host computer, the private key cannot be obtained. This is in contrast of storing a private key on a USB thumbdrive where the private key can be easily and undetectably read off by malware.

    Of course, if I explain this to people, their eyes glaze over. (which is fine and I'm not trying to sound superior than other people, as not everyone needs to be a cryptographic geek.) I just want them to understand why this piece of plastic that plugs into a USB port gives them more security than just punching in a password.

  2. #2
    NFL Owner monogodo's Avatar
    Join Date
    Sep 2004
    Location
    Irving Heritage District
    My Bikes
    7-Eleven Eddy Merckx, Vitus Futural, Catamount FRS, Colnago SL, SS MTB
    Posts
    1,486
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Have you tried simplifying your explanation so that a small child could understand?
    198? Colnago Super (Campy Record) | 1989 Eddy Merckx 7-Eleven Team Issue (Dura Ace) | Catamount MFS (1x8) | Top Image Neptune (SS)

  3. #3
    Trans-Urban Velocommando ax0n's Avatar
    Join Date
    Nov 2006
    Location
    Lenexa, KS
    My Bikes
    06 Trek 1200 - 98 DB Outlook - 99 DB Sorrento
    Posts
    2,402
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Tell them that since the magic happens all on the plastic thingy instead of on the computer, it's safer from viruses and spyware that can compromise the computer's integrity.
    ax0n: Geeky and bikey
    My latest tip: Carrying your laptop
    My latest geeky project: Ethernet-testing cuff links

  4. #4
    The Site Administrator: Currently at home recovering from a couple of strokes,please contact my assistnt admins for forum issues Tom Stormcrowe's Avatar
    Join Date
    Mar 2006
    Location
    South Florida
    My Bikes
    Techna Wheelchair and a Sun EZ 3 Recumbent Trike
    Posts
    15,958
    Mentioned
    9 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by mlts22
    For an academic project I am doing, I am using a number of Aladdin eTokens to show off to people why two-factor security is better than just a single password.

    However, I keep running into this one question that takes forever to explain to people. Most everyone asks "Why do I need this token to store my private key? Why can't I use a USB thumbdrive?"

    Nowhere have I found a good guide explaining the fact that the difference between a USB drive and a cryptographic token (like an Aladdin eToken) is the fact that the USB flash drive just does I/O such as block reads and writes. The computer reads the private key from the flash drive then performs the decryption/signing. The use of a smart card is totally different. The smart card does the decryption and signing on the card itself when requested to by the host computer. The host computer passes the encrypted data to the card, and takes the decrypted data when its processed. Nowhere does the private key get read to the host computer, so if someone compromises the host computer, the private key cannot be obtained. This is in contrast of storing a private key on a USB thumbdrive where the private key can be easily and undetectably read off by malware.

    Of course, if I explain this to people, their eyes glaze over. (which is fine and I'm not trying to sound superior than other people, as not everyone needs to be a cryptographic geek.) I just want them to understand why this piece of plastic that plugs into a USB port gives them more security than just punching in a password.
    Simple demonstration.......crack a password with a random character generator or whatever.Then show the same attempt with the secondary protocol device.
    on light duty due to illness; please contact my assistants for forum issues. They are Siu Blue Wind, or CbadRider or the other 3 star folk. I am currently at home recovering from a couple of strokes. I am making good progress, happily.


    . “He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you.”- Fredrick Nietzsche

    "We can judge the heart of a man by his treatment of animals." - Immanuel Kant

  5. #5
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ax0n
    Tell them that since the magic happens all on the plastic thingy instead of on the computer, it's safer from viruses and spyware that can compromise the computer's integrity.
    That is probably the best explaination. Explaining the concept to children would be easier, as most children these days would just interrupt me, and state that 2048 bit keys on a token is insecure, especially if the NSA made a TWIRL machine to help speed up factoring.

  6. #6
    Senior Member DannoXYZ's Avatar
    Join Date
    Jul 2005
    Location
    Saratoga, CA
    Posts
    11,496
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Draw a flowchart diagram, it makes a lot more sense when people see the process step-by-step...

  7. #7
    You Know!? For Kids! jsharr's Avatar
    Join Date
    Apr 2005
    Location
    Just NW of Richardson Bike Mart
    My Bikes
    '05 Trek 1200 / '90 Trek 8000 / '? Falcon Europa
    Posts
    6,034
    Mentioned
    10 Post(s)
    Tagged
    3 Thread(s)
    Prior to starting your presentation, threaten to stab them in the eye with a pointed stick if they ask stupid questions. First one to ask about drive thingee gets stabbed, problem solved. Anyone else that asks, just point to the bleeding yelling guy on the floor and explain that you already answered that question.
    Are you a registered member? Why not? Click here to register. It's free and only takes 27 seconds! Help out the forums, abide by our community guidelines.
    Quote Originally Posted by colorider View Post
    Phobias are for irrational fears. Fear of junk ripping badgers is perfectly rational. Those things are nasty.

  8. #8
    Trans-Urban Velocommando ax0n's Avatar
    Join Date
    Nov 2006
    Location
    Lenexa, KS
    My Bikes
    06 Trek 1200 - 98 DB Outlook - 99 DB Sorrento
    Posts
    2,402
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So let me get this straight... There are usually three possible metrics for authentication.

    What you know (password, PIN, account number, login)
    What you have (token, card, key)
    Who you are (Retinal scan, biometric thumbprint, IR thermal map of your hand)

    Most things have one factor. BikeForums just goes by what you know (user name and password). So do most combination locks. Cars go by what you have (a physical key). All one factor authentication.

    This token is an encrypted device that fulfills the second factor (what you have), right?

    You don't need to explain technically what the purpose is. Just tell them that two factor authentication is like having to know a password as well as having a key. Tell them that the reason the token is more secure than a USB key is because it can't be copied because of the encryption, so it is totally unique, much like the high-end keys found on luxury automobiles.


    What you know can be passed along. You could intentionally or accidentally disclose your password to 10 people. Those 10 people could all masquerade as you and use your account.

    What you have can only exist at one place at one time. If you don't have it, you know you don't have it, which means someone else may have it. 10 people can't use the token at the same time. It's also much easier to keep tabs on physical things (like a USB encrypted token, a set of keys, or your eyeglasses) than it is to keep tabs on your password. A shoulder-surfer can memorize your password but they can't use your token. A keystroke logger can record your password and e-mail it to an attacker, but it can't e-mail a physical device to the attacker.

    That is why two factor authentication is more secure.
    ax0n: Geeky and bikey
    My latest tip: Carrying your laptop
    My latest geeky project: Ethernet-testing cuff links

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •