From: Lucky Green <shamrock@cypherpunks.to>
To: cypherpunks@Algebra.COM
Message Hash: eec663a3e9269e3527b712b61f27c2ae84445ff8f6079d261d623b9204a1c9e9
Message ID: <Pine.BSF.3.96.980922212127.15969A-100000@pakastelohi.cypherpunks.to>
Reply To: <199809221821.UAA24448@replay.com>
UTC Datetime: 1998-09-22 06:35:45 UTC
Raw Date: Tue, 22 Sep 1998 14:35:45 +0800
From: Lucky Green <shamrock@cypherpunks.to>
Date: Tue, 22 Sep 1998 14:35:45 +0800
To: cypherpunks@Algebra.COM
Subject: Re: ArcotSign
In-Reply-To: <199809221821.UAA24448@replay.com>
Message-ID: <Pine.BSF.3.96.980922212127.15969A-100000@pakastelohi.cypherpunks.to>
MIME-Version: 1.0
Content-Type: text/plain
On Tue, 22 Sep 1998, Anonymous wrote:
[On Arcot's virtual smartcard claims]
> The analogy with smart cards is that these cards protect your private key.
> With a perfect smart card, an attacker can't do any better than chance
> guessing of your private key. With the Arcot system, the same is true.
> Decrypting the private key file gives no information about its content,
> because pure random data is encrypted. Therefore with their system the
> attacker also can't do better than chance guessing.
With Arcot's system, an attacker could determine the key *software only,
most likely even by remote*.
Extracting keys from a smartcard requires *hardware and physical possesion
of the token*.
Which touches at the very core of the difference between
tokens and software based solutions. The claims made on the vendor's
homepage are simply false. There is no other way of putting it.
-- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred.
Return to September 1998
Return to “Lucky Green <shamrock@cypherpunks.to>”