1998-10-05 - Java-based Crypto Decoder Ring gets NIST FIPS 140-1 certification

Header Data

From: Robert Hettinga <rah@shipwright.com>
To: cryptography@c2.net
Message Hash: ad408703753957252d38c9a937000159e669035f9604355fe9838f4fc62ad1fa
Message ID: <v04011743b23ec559dde1@[139.167.130.249]>
Reply To: N/A
UTC Datetime: 1998-10-05 06:05:21 UTC
Raw Date: Mon, 5 Oct 1998 14:05:21 +0800

Raw message

From: Robert Hettinga <rah@shipwright.com>
Date: Mon, 5 Oct 1998 14:05:21 +0800
To: cryptography@c2.net
Subject: Java-based Crypto Decoder Ring gets NIST FIPS 140-1 certification
Message-ID: <v04011743b23ec559dde1@[139.167.130.249]>
MIME-Version: 1.0
Content-Type: text/plain



As breathlessly reported in DIGSIG :-).

Cheers,
Bob Hettinga

--- begin forwarded text


MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Date:         Sat, 3 Oct 1998 09:45:19 -0500
Reply-To: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
Sender: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
From: Richard Hornbeck <rhornbec@COUNSEL.COM>
Subject:      Java-based Crypto Decoder Ring gets NIST FIPS 140-1 certification
To: DIGSIG@LISTSERV.TEMPLE.EDU

Java-based Crypto Decoder Ring gets NIST FIPS 140-1 certification

INSTEAD OF STORING YOUR PRIVATE KEY IN SOFTWARE ON YOUR PC, KEEP IT IN
HARDWARE, ON YOUR CLASS RING, KEY FOB, MONEY CLIP, WATCH OR ANYTHING ELSE
THAT CAN STORE A 16mm, stainless steel case. According to its Web site
(www.ibutton.com), "the iButtion provides for secure end-to-end Internet
transactions-including granting conditional access to Web pages, signing
documents, encrypting sensitive files, securing email and conducting
financial transactions safely - even if the client computer, software and
communication links are not trustworthy. When PC software and hardware are
hacked, information remains safe in the physically secure iButton chip."
Unlike storing your private key in software on your PC where it can remain
in cache after use, and be retrieved by a hacker, the crypto iButton private
key never enters your PC, so it cannot be intercepted.

In July, the Crypto iButton from Dallas Semiconductor received the NIST FIPS
140-1 "Security Requirements For Cryptographic Modules" certification. The
Crypto iButton provides hardware cryptographic services such as long-term
safe storage of private keys, a high-speed math accelerator for 1024-bit
public key cryptography, and secure message digest (hashing). To date, only
15 hardware products have been validated by the U.S. and Canadian
governments.

According to their press release at:
http://www.dalsemi.com/News_Center/Press_Releases/1998/pr_fips.html, the
Crypto iButton ensures both parties involved in a secure information
exchange are truly authorized to communicate by rendering messages into
unbreakable digital codes using its high-speed math accelerator. The Crypto
iButton addresses both components of secure communication, authentication
and safe transmission, making it ideal for Internet commerce and/or banking
transactions.

The Crypto iButton consists of a physically secure, million-transistor
microchip packaged in a 16mm stainless steel can. Not only does the steel
protect the silicon chip inside from the hard knocks of everyday use; it
also shows clear evidence of tampering by leaving scratch and dent marks of
the intruder. This steel case satisfies FIPS 140-1 Level 2 Tamper Evidence
requirements for physical security.

Note: Within the overall 140-1 certification are various sub-levels that
identify how well the product rates in different categories such as Physical
Security, Environmental Failure Protection, and Tamper Resistance. The sum
of the ratings in the individual categories determines whether it merits
certification.

The iButtion also allows the owner to set an automatic expiration date, to
limit the potential for unauthorized use. Once the built-in clock reaches a
pre-set time, the chip self-expires and requires re-activation by the
service provider before service can be renewed. The service provider can
verify that an individual has possession prior to initial activation or
renewal (re-activation). In this way, a lost or stolen iButton
unconditionally limits the potential for unauthorized use to the remaining
activation time, which can be made arbitrarily short by the iButton holder
or service provider.

According to its Web site, Blue Dot receptors using either the Java
operating system (OS), or a proprietary OS, can be purchased online for $15
each. The receptor plugs directly into the parallel port on a PC, and
includes software for configuring its features. The software also programs
the decoder ring with the private key the first time, and performs any other
administrative functions. Just press the Blue Dot with the iButton (ring,
fob, key ring, etc.) to establish the connection path.

If you know your ring size, you can order Josten's 'Java-powered ring,' or
the 'Digital Decoder Ring,' online. Also available are the 'Fossil Watch,
key ring, or money clip. http://www.iButton.com/DigStore/access.html#jring.
Costs for a single unit range from $45 to $89.

"Unlike a loose plastic card, the iButton stays attached to a carefully
guarded accessory, such as a badge, ring, key fob, watch band, or wallet,
making misplacement less likely. The steel button is rugged enough to
withstand harsh outdoor environments and durable enough for a person to wear
every day. An individual maintains control over their Crypto iButton in yet
another way-a secret Personal Identification Number. If so programmed, the
iButton will not perform computations until its PIN is entered, like a bank
ATM. "

A list of developers and their off-the-shelf applications is at:
http://www.iButton.com/Connections/Catalogs/index.html. Custom, networked,
server-based applications are available, in addition to individual,
standalone PC products. The crypto iButtion is currently being tested by the
USPS for electronic distribution of postage stamps.

The company marketed its iButton products for other non-crypto uses starting
in 1991. A list of current implemented and pilot projects using the product
to simply store and process data around the world is at:
http://www.iButton.com/showcase.html. This includes the mass-transit system
in Turkey, bus passes in China, vending machines in Canada, parking meters
in Brazil and Argentina, and buying gas in Mexico and Moscow.

Richard Hornbeck

www.primenet.com/~hornbeck

--- end forwarded text


-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





Thread