Re: [Fed-Talk] Re: ExpressCard/34 references
Re: [Fed-Talk] Re: ExpressCard/34 references
- Subject: Re: [Fed-Talk] Re: ExpressCard/34 references
- From: Michael Kluskens <email@hidden>
- Date: Thu, 18 May 2006 11:01:31 -0400
On May 18, 2006, at 10:14 AM, Timothy J. Miller wrote:
Michael Kluskens wrote:
Just reread the latest IEEE Spectrum magazine. Two new wireless
USB protocols are set to complete in the market place (one is by
Motorola and the other I forget), so you stick your CAC card in a
USB card reader and plug the reader into the wireless USB box and
plug the wireless USB hub into the laptop (or inside it). With a
small enough set of parts you could keep the CAC card on your
person and not have any external parts attached to your laptop.
Technically possible.
Don't hold your breath on these. Just look at the RIM bluetooth
card reader to see what had to be done to get NSA approval for CAC
operation over a wireless protocol--after bluetooth bonding,
there's a SecurID-like one-time hash generated and displayed on the
reader that the user has to manually input on the Blackberry before
the reader can be used.
Performing any operations that use a smartcard's private key
material over a wireless protocol Just Isn't Smart(tm). No, the
private key isn't exposed, but the PIN certainly will be as well as
potential card session hijacking. Note that the PIV standard
explicitly says that the contactless card interface will *not*
access private key material. Ever.
Just a thought, but then wireless keyboards with lossy channel
selection, i.e. manufacturers solution: if interference occurs
coordinate channel selection with all other users within 100 meters,
are certainly in active use in DOD--I wonder how many times CAC PINs
have been typed into wireless keyboards, surely violates the regs but
does the user really understand how bad an idea it is (Apple's
heavily encrypted bluetooth keyboard at least appears to be secure in
terms of specs--anything wireless other then my radio and TV worry me).
I picked up a wireless keyboard in an internal store at a DOD
location and could find nothing on the box that made me feel like
using one of those at that location was even remotely a good idea for
anything. When I queried the appropriate people there was nothing in
the regs against using a wireless keyboard no matter how bad it was.
We still haven't seen the regs that exempt CAC cards from the regs
that restrict the carrying of computers in and out of secure spaces,
after all CAC cards are java computers.
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden