Maybe we should just get rid of the damn passwords and replace them with a system that makes it easier to remember and use without compromising security. At the very least one password + a smartcard system would be way easier. You enter your password once then you just have to swipe your card when you login to another system.
You end up with bad passwords anyway (like Fuck Off 45). Or you end up with everyone using the same account, or post-it notes with passwords, or notebooks with passwords, or an email draft with passwords.
I've seen smartcards have the best impact. Yeah sure they can be swiped or forged, but compared to the real, effective security of passwords, they're much better. You also can't lock yourself out of a smartcard system. You can forget your card at home, but it's easy to just reissue a new card and invalidate the old one (throw it away when you get home, it's just a hunk of plastic now).
Not entirely sure why you're being downvoted. Sun terminals have had smartcard access for, what, 15 years? (Yes, for hospitals). It's a good idea. Some sort of complementary directional RFID might be even better.
Pretty sure he got downvoted because of this canard:
>If you don't you end up with bad passwords.
This is a terrible fallacy that has brought so much pain on the world. The rate of bad passwords is probably not so different, but the rate of frustration is so much higher.
Were these regulations created at a time when brute force password cracking was a legitimate concern?
Password policies do definitely raise the entropy of the passwords, so if the attack vector you're concerned about is entropy sensitive, its a decent strategy.
As someone who has had to enforce such password policies many times, I can say that it's almost always because of some regulatory or certification organization that requires complex policies.
Adding radio as a primary component in a security system is always going to be a bad idea. Security is hard enough without adding in the possibility of 3rd parties hearing the protoocol - or worse.
> directional
A common misunderstanding of radio is the belief that it can be contained in an area. Unless you're building a proper Faraday cage (which is hard), the ability to hear a transmmission often depends on the receiving antenna.
For convenience without involving radio, one simply has to get creative. Something like the (defunct) Java Ring[1] would allow most of the ease-of-use of RFID (possibly with a simple proximity sensor for auto-logout, if needed).
> Security is hard enough without adding in the possibility of 3rd parties hearing the protoocol
Asymmetric encryption is not that hard. In fact, you were using it while complaining about the problem it solves.
> Garaday
Faraday.
> the ability to hear a transmmission often depends on the receiving antenna
So even if you somehow get past the asymmetric crypto you need RF expertise and a special antenna to mount the attack from more than a foot away? And not even a special antenna beyond a few miles? I'd call that "defense in depth," not a flaw.
...doesn't protect against everything. Not letting people hear the asymmetric encryption is even better.
> special antenna
Cantennas are easy, and you should never underestimate the amount of technology people will throw at an attack. Consider, for example, the people that made ATM shims that captured the card data while recording the PIN being entered on the keypad.
> "defense in depth"
Defense in depth would be using cryto while requiring a physical connection.
> smartcard
A smartcard is fine - my argument is against RFID. A card that requires an electrical or inductive connection isn't going to leak everything over the radio.
My suggestion of "digital jewelry" is merely an example of how the form of the smartcard is flexible. Creativity in this area could allow for some easier to use devices, which could be important in places like hospitals.
But it does protect against the exact threat model you proposed.
> Defense in depth would be using cryto while requiring a physical connection.
> Consider, for example, the people that made ATM shims that captured the card data while recording the PIN being entered on the keypad.
How about you consider it?
Building a facade to intercept physical communications is very much on par with building increasingly large, awkward, and expensive antennas in terms of difficulty barriers (especially if you need enough polish to blend in). I'm a ham, I would know. I'm not sure why you are so insistent on drawing the line between these two particular techniques.
> A card that requires an electrical or inductive connection isn't going to leak everything over the radio.
Are you familiar with the distinction between near-field and far-field? Because both RFID and smartcards span that distinction while you just tried to draw a line down the middle.
> A smartcard is fine - my argument is against RFID.
Many (most?) smartcards communicate over RF. Your argument (and my rebuttal) was about
> Adding radio as a primary component in a security system
not the RFID technology in particular. So do you or don't you think RF communication in a security device is an inherent problem in and of itself?
> But it does protect against the exact threat model you proposed.
Encryption doesn't protect against traffic analysis. Knowing someone is present or that some device is in use is significant information.
Does the device you are proposing authenticate the reader before transmitting anything? If not, it's not particularly difficult (probaly by modifying a reader) to test if people have a security device on them. That only requires a ping, no crypto needed.
> I'm a ham
I used to be, for many years. (I wish I had more time for such things these days)
> large, awkward, and expensive antenna
That depends entirely on what you want to do. If you want to read the entire crypto transaction from the next building, then yes, an expensive antenna[1] will be required. If I just want to detect who is carrying a security device, you won't need a particularly accurate antenna - it just needs to have a decent gain.
My point with that example is that it's never a good idea to underestimate how much time and effort people will put into an attack. If criminals can add a man-in-the-middle chip piggybacked onto a chip-and-pin smartcard[2], they can made a decent cantenna.
> So do you or don't you think RF communication in a security device is an inherent problem in and of itself?
RF is an extra risk that should be avoided whenever possible for security devices, especially when effective alternatives are available.
In your linked video about the hospital, the smart card was slotted into a reader. This would work well and has no need for RF. It's certainly a far better solution than memorizing bad passwords.
I had this thought years ago. A smartcard coupled with a biometric seems easier to use and more secure.
Even just a card. You can only have one per person (as opposed to passwords that can have infinite copies and are likely to be unknowingly compromised) and if a card is lost, it can be expected that it will be replaced shortly so long as the replacement process is painless which seals the leak.
Maybe we should just get rid of the damn passwords and replace them with a system that makes it easier to remember and use without compromising security. At the very least one password + a smartcard system would be way easier. You enter your password once then you just have to swipe your card when you login to another system.