Bill Gates Proclaims End of Passwords

KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"

end of passwords - not

[martin]

So how do you 'unlock' the smart card to prove its you (and still you) at the keyboard...???

an PIN number...
a fingerprint...

Authentication is based around something you have (userid/smartcard/finger...) and something you know (password/PIN/....)

No change since the Secuure Single Sign On days of the mid 1990's. All they are doing is bringing it upto date using .NET to quickly build applications.

Not a password replacement

[Albanach]

Reading the Axalto press release they talk about their cards as an additional form of security, not a password replacement. I've used smart cards for a few things and each of them has been protected by a password too. You enter the smart card and are then asked for a PIN to ensure you have the right to be using that smart card. As another poster said, if there's no password all they have to do is get to your wallet if they want to Get Root. Hopefully if we do see an open source implimentation it won't be passwordless!

Re:How long before we can get an open-source versi

[Fallen Kell]

None. Or if they did, Sun Microsystems has been using a similar system for years. Smart card readers are standard equipment on all currently available Sun workstations, and have been for the last 3-4 generations of workstations as well. Sun "deployed" this system at least 4 years ago when it introduced "Sun Rays" back in 2000-2001 timeframe. If MS tried to patent this, Sun is clearly prior art, and if it isn't, it should be construed as simply a logical progression of Sun's system, which means it should not be patentable, but then again, we are talking about people who have let though patents on the wheel in recent years...

Re:So now instead of torturing me...

[spuke4000]

I don't know about this implementation, but typically the key on the smart card is password protected. Thus you have to have the card AND know the password. This is why they call it two-factor authentication.

Re:Linux is missing an opportunity

[Anonymous Coward]

Linux has had this for OVER 5 years now.

Cripes. just because gates says it's new certianly does not mean it is true.

http://www.strongsec.com/smartcards/howto/html/S ma rtCard-Login-HOWTO-1.html

start here you clueless fool

How is this better than the Java iButton?

[WillerZ]

See this page:

http://www.ibutton.com/ibuttons/java.html [ibutton.com]

I've had one of these Java-powered iButtons since 2001. If you have the PKI in place it's a very easy technology to use. If you don't, it just gives you bragging rights in the my-computer-is-smaller wars.

Both good.

Phil

Didn't Sun do this 5 years ago?

[the_skywise]

And it was called the "Java Ring"?

US Military has been using this for years.

[RandoX]

Newer US Military ID cards (~last 2 years)have a 'chip' in them that allow instant login to DOD computer systems. It also stores the user's medical records.

The joy of smart cards

[Vraylle]

The local Air Force base here went to full implementation of smart cards for logins (the cards double as their building IDs). It was a debacle...they were recognized by the readers about 20% of the time, and misread another 60%. They finally modified the login to allow them to Cancel the smart card scan and log in manually while they slinked off in defeat.

Re:Hmmmm....

[isaaccp]

Also available in Linux, check the USB PAM module: http://lists.debian.org/debian-mentors/2004/02/msg 00143.html

Re:Didn't Sun do this 5 years ago?

[WillerZ]

The Java ring was a Dallas Semiconductor DS1955A iButton in a signet ring holder. The 1955A could only hold one key. The 1955B is a bit more useful, as it can hold about 30 keys. I have the dog-tag holder for it, but I wish I'd gone for the USB fob.

Don't waste your time by getting the parallel-port adapter, as most modern machines seem to have trouble providing enough power to the iButton for the compute-intensive parts of the process. On the last 3 machines I've had it's been impossible to generate keys because the parallel port can't deliver the necessary oomph.

The serial adapter is probably the best bet for iButtons if you want to use them from Unix/Linux.

Phil

also in Java flavour ...

[gerbouille]

Axalto has developed a Java-based version of this card [axalto.com], too.

Re:News?

[dagur]

And whats the difference between microsofts great new smart card technology and sunray cards [udel.edu] ?

And over in Java...

[MosesJones]

A classic case of Billy boy announcing something everyone else has. I saw a demo by Sony about 2.5 years ago now which demonstrated smart card + biometrics as an authentication mechanism.

Something like 98% of the world's new smart cards run Java as their programming language, and there are defined standards for security around it. This stuff is already being used in the wild, for instance by the DoD. Oh and if you have one of those "Blue" or clear Amex credit cards... its running Java too.

Or of course you could wait for Longhorn.

In terms of open source, you can do this in Java (which is published and the source is accessible), today.

I love Microsoft, "yesterday's technology, tommorow".

Re:Um... no?

[lee7guy]

Also, you don't leave your smartcard at every place you visit, which is the case with fingerprints. You can easily make a gelatine film with fingerprints collected on everyday objects. No fancy equipment required either. When researches tested the technique at a recent show, every fingerprint reading device they were allowed to test, were fooled.

Retinas at least doesn't leave traces everywhere, but then you still run the risk of data theft.

PAM does this for linux

[Lorphos]

Pluggable Authentication Modules [kernel.org] Want a new method of authentication? Just write a PAM module!

Re:Java iButton PAM kit URL

[Tomun]

It's in the archive [archive.org]

Re:Hmmmm....

[Naikrovek]

yeah, i thought that's why they were called usb KEYs... I think they were originally designed just for this purpose. my first USB key was 64kb (kilobytes) and held only an encryption key.

Smart cards provide the exact same functionality as my very first usb key.

Re:Hmmmm....

[pesc]

This has been in Mac OS for awhile... as Keychains... mine is on my USB thumb drive...

Absolutely not. A smart card is nothing like an USB drive where you store a password or cryptographic key.

A smart card contains a closed microprocessor and a small memory. The point is that you cannot get at the contents of the memory at all (unless you have a silicon lab). The microprocessor has a private key that it never shows outside the silicon and a public key that the PC knows about. The smart card can prove its identity by signing stuff the PC sends to it using the secret private key.

Smart cards have been around for a long time. They are not a M$ invention and I'm sure that there are open-source drivers that can talk to smart cards.

It is called Kerberos

[LakeSolon]

Linux already has this sort of technology, it is even interoperable with Windows, Solaris, UNICOS and AIX. It is called Kerberos.

Re:Cheaper Low Tech Alternative

[wertarbyte]

Take a piece of paper and a paper envelope. Write your password onto the piece of paper and put it into the envelope. This provides the exact same security as a smartcard.

No it doesn't. There is no way of breaking the envelope and retrieving the passphrase. Smartcards (at least the ones I encountered) work by cryptographic challenges (think SSH key auth). The private key is stored on the card, and only/i> on the card. It is also locked by a PIN. Even with the PIN, you cannot retrieve the key: The crypto secret stays completely inside the card, and if your cardreader has got a numeric keypad, the PIN as well won't even leave the combo card/cardreader. The reader I got here for HBCI banking is also sealed by the company to avoid manipulation.

Re:Anybody else notice this came from a French co.

[mikechant]

Most of the French crypto restrictions were removed in 1999. E.g. see http://www.sobco.com/nww/1999.edited/04-crypto.htm l [sobco.com]
and some of the other articles found by googling for "france encryption restrictions relaxed" or similar

A bit of a myth, yes.

[GQuon]

One of the things such sensors check for is blood flow. So naturally they'll just have to kill you afterwards, but you won't be needlessly mutilated.

Yes. Some biometric sensors can be tricked with dead tissue or a photocopied fingerprint, but the good ones detect life signs. (This is the case for both good fingerprint sensors, reading electric impulses instead of light, and retinal scans that measure blood flow.)
Some sensors are even active, checking how the body reacts to stimuli, for example how the iris reacting to light, comparing it with a recorded sample.

Get rid of passwords

[tolonuga]

I think smart cards are the right way. Get the normal cryptoflex 32k egate card with a token connector, install openct and opensc (both http://www.opensc.org/), and use the opensc pam module for login, openssh for remote authentication, mozilla or firebird with the opensc pkcs#11 module for email signing and decryption, the opensc tools for initializing the card and diagnostics, openssl with the pkcs11 engine to create signed certificates, and so on.

you don't need microsoft to do that. opensc is available for linux and friends, mac os X and windows, and a CSP for windows is under development.

opensc supports cryptoflex, cyberflex, gemplus pk, siemens card os, telesec tcos, micardo, setec, ibm jcop, oberthur and openpgp smart cards. also the finnish, swedish, estonian and italian id cards are supported with full source code, the spanish linux user group has a special version with support for the spanish id card using a binary only plugin.

also note that opensc does not use a propriotory on card format (like most commercial alternatives), but implements the pkcs#15 standard.

disclosure: I'm one of the developers, doing some advertisement here :-)

wow, this is new!

[the-build-chicken]

oh, except sun was doing it ten years ago.

You know, love Sun microsystems...but if one company has consistently been the victim of an idea whose time has not yet come, and won't come for another 10 years...it's got to be sun. Smart cards, JINI, SunRays...all brilliant...all dead because of being ahead of their time IMHO. They've seriously gotta start hiring some dumber people...I here you can find them in Redmond.