On Fri December 26 2008, Edward Diener wrote: > Michael S. Zick wrote: > > On Fri December 26 2008, Edward Diener wrote: > >> By 'dongle' do you mean a hardware 'dongle'. If it is a software dongle > >> you need to spell out for me what you mean. > >> > > > > There are a lot of devices being marketed for this purpose, but as > > an example that it needs to be neither complicated programming or > > an expensive solution: > > > > http://pdfserv.maxim-ic.com/en/an/app190.pdf > > > > The basics (no insult intended): > > > > Your client (or your application, on the client's behalf) generates > > a public/private key pair - > > > > The public part goes through the certification request process (with > > your server) that you are familiar with - > > The private part is never seen other than on the client machine during > > generation - > > > > The private part (or the key to its protective encryption) is stored in > > one (or more) of those shirt button devices. > > Once written and locked, short of peeling the silicon a few microns at a > > time under an electron microscope - it isn't ever going to be read. > > Some makes/models even have the stored data AES-256 encrypted, so even if > > peeled... > > > > The client can record _their_ private part in as many devices as they > > desire - and now they have a physical "thing" that any business knows > > how to protect from loss. > > Businesses well know how to protect something they can touch. > > > > I am not trying to push a specific product, only giving an example, > > even that one manufacturer makes a selection of products. > > > > Bottom line - you might be adding $20-$50 per "button" the client > > wants to have - you ship them blank - their software driver can write > > and lock them once the client has their private part ready. > > > > Note: There are laptops and desktops made that already read these > > 1-wire devices, or a USB based reader can be added to existing machines. > > Thanks for the information on these devices. I will mention this to the > person for whom I work. The practical situation is that the device must > be distributed to all end users who buy the application and they must > "install" such a device on their computers. I do not think this is a > viable solution for our application but I do understand that some people > companies may use it for their application. >
They have to "install" your application also. Let the installation and/or registration process write the button also. You can't write the button for the client, you don't have the client's private key (the only thing worth protecting). The topic of the thread was where to store the client side security information; the answer is: in a hardware token. If your application handles financial, medical or medical billing information - perhaps for the "work at home" industry in my country; nothing less than a hardware token will do for the approval process. The application note was on an authentication device, but troll the product catalog, they make models for storing/protecting private keys. Or, you can find people who do the trolling and decision making for-hire. Mike > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
