From: Adam Shostack <adam@homeport.org>
To: Lucky Green <rdl@MIT.EDU>
Message Hash: 8f6576bc1697058befcf3501fefae884e521daed93baf9e79c793047375b9c44
Message ID: <19980921062758.A3194@weathership.homeport.org>
Reply To: <199809192038.QAA29964@denmark-vesey.MIT.EDU>
UTC Datetime: 1998-09-20 21:25:42 UTC
Raw Date: Mon, 21 Sep 1998 05:25:42 +0800
From: Adam Shostack <adam@homeport.org>
Date: Mon, 21 Sep 1998 05:25:42 +0800
To: Lucky Green <rdl@MIT.EDU>
Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
In-Reply-To: <199809192038.QAA29964@denmark-vesey.MIT.EDU>
Message-ID: <19980921062758.A3194@weathership.homeport.org>
MIME-Version: 1.0
Content-Type: text/plain
On Sun, Sep 20, 1998 at 06:45:06PM +0200, Lucky Green wrote:
| On Sat, 19 Sep 1998, Ryan Lackey wrote:
|
| >
| > [from a discussion of tamper-resistant hardware for payment systems
| > on dbs@philodox.com, a mailing list dedicated to digital bearer systems,
| o ArcotSignTM technology is a breakthrough that offers smart card tamper
| resistance in software. Arcot is unique in this regard, and WebFort is the
| only software-only web access control solution on the market that offers
| smart card security, with software convenience and cost. [We have now
| entered deep snake oil territory. Claims that software affords tamper
| resistance comparable to hardware tokens are either based in dishonesty or
| levels of incompetence in league with "just as secure pseudo-ontime
| pads"].
|
| In summary, based on the technical information provided by Arcot System,
| the product is a software based authentication system using software based
| client certificates.
I have no knowledge of Arcot's systems and can't comment on
them. Hoever, there are ways to make software hard o disassmeble
and/or tamper with. Given that Arcot is probably going to attack
smartcards as being easily attacked, 'smartcard level' security is not
that high a target, the claim may not be so outlandish.
Be intestesting to see how fast the code is. If they're
embedding certs in complex code that needs to run to sign, then theft
of the cert may be difficult.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Return to September 1998
Return to ““Todd S. Glassey” <TSGman@earthlink.net>”