What happens when my laptop gets stolen?
Miha replied to my post on PPIDs, with some interesting questions.
However, everybody says “no passwords” — I beg to differ. This is exactly the same situation as it is with client certificates.
You are quite correct sir. Using personal information cards are very very very similar to using client certificates. So, what’s the difference? Infrastructure, and simplicity. CardSpace essentially brings cheap, easy PKI to the people. Using client-certificates certainly fits the bill, but unfortunately, the tools, management and concepts aren’t built for my Mom, (but built for me). That is, I get it, but my mom has no idea what the heck I’m talking about.
Why would you need a password, if a user logs in with the client certificate?
You wouldn’t. I assume, that Miha isn’t from North America. I’ve found the use of client certs far more prevalent outside of the US and Canada. Somehow, the concept isn’t very popular around here… I guess we’ll have to get Senator Stevens to buy us some more pipes so that we can fit bigger pipes to the internets. Again, client certs work fine, but aren’t fine to work with.
Certificate was issued with someone you can trust (and verify), the certificate is valid, the data is signed with the user’s private key (and you have the public key).
No argument there.
Now, all the sites I visit, that require client certificate, require the password too.
Are you indicating that you use a password and a certificate, or a password-protected certificate (aka, a pin-protected certificate)?
With a pin-protected certificate, we’re getting to the crux of the matter. With a certificate that requires a PIN (and what is a PIN, other than a password) you are accessing protected content. The difference is, the pin your gatekeeper to your private key, not the secret shared with the website. You never, ever, need to tell someone your PIN/Password for a certificate. Not the RP, not the IP, not-nobody-not-nohow.
Otherwise, someone, that gets hold of my computer (notebook) could log into my bank account without knowing anything.
Bingo. You betcha. Unless your private key material is protected by a PIN, you’re wide open for that. Security is about “Something you have” and “Something you know“. So, if someone steals your laptop and your certificate is PIN protected, you have the knowledge that they aren’t likely going to get around that (provided a good enough PIN).
Sure, it is more secure, if certificate is guarded with a password (high security in IE, master password in firefox), but infocard(s) isn’t (aren’t) guarded with a password.
So, what if I told you that CardSpace DOES protect each and every one of your cards with not just one, but two passwords. AND gives you the option for a third!
The CardStore that you have is twice encrypted, once with the machine key, and once with the user key. Encrypting with the machine key, ensures that if the cardstore is taken off-box, it’s rendered useless, as the key for decryption is stored on that box. Either the attacker needs to get administrator access to the machine and compromise the machine’s DPAPI key, or he needs to be able to run code on the machine to call the decryption function. It’s not making it impossible, but it’s putting a protection countermeasure in his way to slow down the attack. 1
The second layer of encryption is with the user’s key. Because the card store is encrypted with the user’s credentials, when the user is not logged in to the machine, her key is not present on the machine at all.
So, wait a second…. The information cards are password protected. If you have lost your laptop, and someone steals it, unless they login with your password, they can’t access the cards. Even if they use the various physical-box methods (or any method really…) to reset your password , the keys won’t match and they will render the card store useless permanently.
And finally, if you don’t have the security around your logged in laptop, or you simply want to stop those kids from using your information cards from your always-logged in home PC, you have the option to individually PIN protect each and every card separately.
What’s wrong with passwords anyway?
I know, I’m just throwin’ good judgement into the wind on this, but let me make a couple of points.
Passwords that are used as shared secrets are the absolute biggest hole in security today. As my pappy use’d to say “Lettin’ the cat outta the bag is a whole lot easier than puttin’ it back“. If I give a site a password, and they require me to divulge the password back to them before granting me access, It’s my butt between the bull and the fence if the connection between me and them ain’t secure. And for every other person I tell that same secret to, I lose security on another order of magnitude. Given that folks tend to use the same 5 or less passwords at all the sites they visit, the world is a heckofa lot less secure that it should be.
Cryptography gives us the tools to correct the wrongs we’ve done with passwords. CardSpace brings cryptography to everyone.
<feeling musical, queue’s up some Kiss, mangles the words>
God gave cryptography to you, gave cryptography to you
Gave cryptography to everyone (oh yeah)
God gave cryptography to you, gave cryptography to you
Put it in the soul of everyone
So, what have we learned?
1. Passwords, when used as a shared secret, are the epitome of insecurity.
2. All information cards stored in CardSpace are in effect, password protected with your login credentials and the machine key of your PC..
3. If that isn’t enough, PIN protect them again.