From: Lucky Green <shamrock@cypherpunks.to>
Date: Tue, 22 Sep 1998 14:35:45 +0800
To: cypherpunks@Algebra.COM
Subject: Re: ArcotSign
In-Reply-To: <199809221821.UAA24448@replay.com>
Message-ID: <Pine.BSF.3.96.980922212127.15969A-100000@pakastelohi.cypherpunks.to>
MIME-Version: 1.0
Content-Type: text/plain



On Tue, 22 Sep 1998, Anonymous wrote:
[On Arcot's virtual smartcard claims] 
> The analogy with smart cards is that these cards protect your private key.
> With a perfect smart card, an attacker can't do any better than chance
> guessing of your private key.  With the Arcot system, the same is true.
> Decrypting the private key file gives no information about its content,
> because pure random data is encrypted.  Therefore with their system the
> attacker also can't do better than chance guessing.

With Arcot's system, an attacker could determine the key *software only,
most likely even by remote*.

Extracting keys from a smartcard requires *hardware and physical possesion
of the token*.

Which touches at the very core of the difference between
tokens and software based solutions. The claims made on the vendor's
homepage are simply false. There is no other way of putting it.

-- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred.