More About Software Tokens
When software tokens are as strong as hardware ones
My recent post on software tokens generated interesting feedback. I wanted to elaborate a bit more on how soft tokens can be, in fact, as strong as hardware tokens -- perhaps even better in terms of security.
It is important to decide which threats we are protecting from. If we are interested in protecting against malware that tracks memory locations and is capable of obtaining the secrets from memory while a program is executing, then storing the secret keys in software or hardware tokens would not yield the desired protection. In fact, there is no difference between the security of either model. The only way to protect against this type of malware is to execute any operation using the secret in a trusted environment.
If protecting against cracking a password that was used to decrypt an encrypted key file, then solutions are available that make software and hardware tokens equivalent in terms of security.
I encourage readers to check out the Arcot systems scheme. Arcot is now part of CA Technologies, actually. Its scheme protects secret keys as well as OTP seeds and the like in a way that prevents an attacker who has access to the stored encrypted files from obtaining the secrets.
Recognized in the industry as the "inventor of SSL," Dr. Taher Elgamal led the SSL efforts at Netscape. He also wrote the SSL patent and promoted SSL as the Internet security standard within standard committees and the industry. Dr. Elgamal invented several industry and government standards in data security and digital signatures area, including the DSS government standard for digital signatures. He holds a Ph.D. and M.S. in Computer Science from Stanford University.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024