smart container details..

Hi,


we are currently investigating solutions like the Dekart Smart Container.

I would like to ask if the Dekart Password Carrier safes its data to the smartcard or to the flash memory. If it runs in the flash memory, is it protected by the smartcard? It probably is, via the data-safe?

Preferred solution would be to run the applications from ROM and store the user credentials in the smartcard. This would make it possible to simply unplug the USB stick without unmounting the filesystem first. It would also make it more difficult to read out the credentials-container in mobile usage szenarios.

[Alex Railean]

Password Carrier was initially designed to store its data on a USB flash drive, in an encrypted form (AES-256 is used).

We also have added the functionality to store the collected passwords on a smart card, but it is unlikely to become a popular approach, due to the fact that smart cards have a limited storage capacity.

Usernames, passwords and web-site addresses will quickly consume all the space offered by the smart card, while a USB flash drive (being much cheaper) offers a lot more storage.

Smart cards are indeed more secure, but the data are encrypted when USB drives are used, so in the long run USB flash drives are very secure, and a lot cheaper.

Password Carrier can also be used in a scenario such as the one you described - the program itself resides on the hard disk, while the credentials are stored on an external drive.


But note one thing - Password Carrier's mobility is at its best when the program itself and the user data are on a USB drive. This requires no admin rights, there is no need to install drivers for the card reader, etc.

In other words, Password Carrier's initial design is the optimal choice for a wide range of possible usage scenarios.

> Password Carrier can also be used in a scenario such as the one you
> described - the program itself resides on the hard disk, while the
> credentials are stored on an external drive.

This should of course work. And of course it's more flexible to copy the program onto the USB memory.

But I've seen you have a "protected area" on the USB-Token. And there is also the 32 or 64K memory in the smartcard, which can be used to store the credentials(64k is pretty much when it comes to plaintext).

Question was: Is it possible to start the program from USB-*ROM*(protected memory) and access the smartcard-memory?

Benifits:
- No filesystem corruption when device is unplugged by users.
- Bruteforce onto Masterpassword not possible as the smartcards allows only N decryption-attempts.

[Alex Railean]

Quote:

Question was: Is it possible to start the program from USB-*ROM*(protected memory) and access the smartcard-memory?

It is technically possible, the program was modified to make that option available. However, we did not test it in real-world scenarios, due to the limited availability of smart cards that are able to cover Password Carrier's storage needs.


The benefits you have enumerated are correct, but here are some additional facts:

• The program was tested in various stress conditions, including forced removal, power offs, etc. It is able to handle such cases gracefully (there is always a "last known good backup" on the USB drive itself, plus the program reminds you at regular time intervals to make a backup on another storage device).
• Smart cards are indeed perfect against brute-force attacks, but having the data encrypted with AES-256 with a relatively strong password will be "less than perfect but more than "good enough""; in other words - your privacy is well guarded even if you don't use smart cards.

Our goal is to provide a cost effective solution that offers reasonable security. Your suggestions make the set up more expensive, without adding a significant change to the level of security (at the same time there is a side-effect, mobility suffers because smart cards need smart card readers, and drivers).

Thank you for your reply.


I did not realise the "protected memory" is on the smartcard, I thought it may be as with U3 USB Sticks, which also register themselves as CDROM. This would be enough to counter FS-korruptions(journaling FS is good, but one can do better).

We are indeed searching for PIN-protected storage of credentials, as user passwords tend to be less than 70bits, not to mention 128/256.

I was hoping the credential manager or at least the data-safe uses the PIN protection.

We will probably test your products in more detail, anyway.

Thanks,
pepe

Quote:

Originally Posted by Alex Railean

Password Carrier was initially designed to store its data on a USB flash drive, in an encrypted form (AES-256 is used).

We also have added the functionality to store the collected passwords on a smart card, but it is unlikely to become a popular approach, due to the fact that smart cards have a limited storage capacity.

Usernames, passwords and web-site addresses will quickly consume all the space offered by the smart card, while a USB flash drive (being much cheaper) offers a lot more storage.

Smart cards are indeed more secure, but the data are encrypted when USB drives are used, so in the long run USB flash drives are very secure, and a lot cheaper.

Password Carrier can also be used in a scenario such as the one you described - the program itself resides on the hard disk, while the credentials are stored on an external drive.


But note one thing - Password Carrier's mobility is at its best when the program itself and the user data are on a USB drive. This requires no admin rights, there is no need to install drivers for the card reader, etc.

In other words, Password Carrier's initial design is the optimal choice for a wide range of possible usage scenarios.

Hello,

Is this device only usable with windows or is it also usable with LINUX, SOLARIS, MACos etc.

Thanks

Marc

[Alex Railean]

Marc, it is a Windows-only application.