As breathlessly reported in DIGSIG :-). Cheers, Bob Hettinga --- begin forwarded text MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Date: Sat, 3 Oct 1998 09:45:19 -0500 Reply-To: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU> Sender: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU> From: Richard Hornbeck <rhornbec@COUNSEL.COM> Subject: Java-based Crypto Decoder Ring gets NIST FIPS 140-1 certification To: DIGSIG@LISTSERV.TEMPLE.EDU Java-based Crypto Decoder Ring gets NIST FIPS 140-1 certification INSTEAD OF STORING YOUR PRIVATE KEY IN SOFTWARE ON YOUR PC, KEEP IT IN HARDWARE, ON YOUR CLASS RING, KEY FOB, MONEY CLIP, WATCH OR ANYTHING ELSE THAT CAN STORE A 16mm, stainless steel case. According to its Web site (www.ibutton.com), "the iButtion provides for secure end-to-end Internet transactions-including granting conditional access to Web pages, signing documents, encrypting sensitive files, securing email and conducting financial transactions safely - even if the client computer, software and communication links are not trustworthy. When PC software and hardware are hacked, information remains safe in the physically secure iButton chip." Unlike storing your private key in software on your PC where it can remain in cache after use, and be retrieved by a hacker, the crypto iButton private key never enters your PC, so it cannot be intercepted. In July, the Crypto iButton from Dallas Semiconductor received the NIST FIPS 140-1 "Security Requirements For Cryptographic Modules" certification. The Crypto iButton provides hardware cryptographic services such as long-term safe storage of private keys, a high-speed math accelerator for 1024-bit public key cryptography, and secure message digest (hashing). To date, only 15 hardware products have been validated by the U.S. and Canadian governments. According to their press release at: http://www.dalsemi.com/News_Center/Press_Releases/1998/pr_fips.html, the Crypto iButton ensures both parties involved in a secure information exchange are truly authorized to communicate by rendering messages into unbreakable digital codes using its high-speed math accelerator. The Crypto iButton addresses both components of secure communication, authentication and safe transmission, making it ideal for Internet commerce and/or banking transactions. The Crypto iButton consists of a physically secure, million-transistor microchip packaged in a 16mm stainless steel can. Not only does the steel protect the silicon chip inside from the hard knocks of everyday use; it also shows clear evidence of tampering by leaving scratch and dent marks of the intruder. This steel case satisfies FIPS 140-1 Level 2 Tamper Evidence requirements for physical security. Note: Within the overall 140-1 certification are various sub-levels that identify how well the product rates in different categories such as Physical Security, Environmental Failure Protection, and Tamper Resistance. The sum of the ratings in the individual categories determines whether it merits certification. The iButtion also allows the owner to set an automatic expiration date, to limit the potential for unauthorized use. Once the built-in clock reaches a pre-set time, the chip self-expires and requires re-activation by the service provider before service can be renewed. The service provider can verify that an individual has possession prior to initial activation or renewal (re-activation). In this way, a lost or stolen iButton unconditionally limits the potential for unauthorized use to the remaining activation time, which can be made arbitrarily short by the iButton holder or service provider. According to its Web site, Blue Dot receptors using either the Java operating system (OS), or a proprietary OS, can be purchased online for $15 each. The receptor plugs directly into the parallel port on a PC, and includes software for configuring its features. The software also programs the decoder ring with the private key the first time, and performs any other administrative functions. Just press the Blue Dot with the iButton (ring, fob, key ring, etc.) to establish the connection path. If you know your ring size, you can order Josten's 'Java-powered ring,' or the 'Digital Decoder Ring,' online. Also available are the 'Fossil Watch, key ring, or money clip. http://www.iButton.com/DigStore/access.html#jring. Costs for a single unit range from $45 to $89. "Unlike a loose plastic card, the iButton stays attached to a carefully guarded accessory, such as a badge, ring, key fob, watch band, or wallet, making misplacement less likely. The steel button is rugged enough to withstand harsh outdoor environments and durable enough for a person to wear every day. An individual maintains control over their Crypto iButton in yet another way-a secret Personal Identification Number. If so programmed, the iButton will not perform computations until its PIN is entered, like a bank ATM. " A list of developers and their off-the-shelf applications is at: http://www.iButton.com/Connections/Catalogs/index.html. Custom, networked, server-based applications are available, in addition to individual, standalone PC products. The crypto iButtion is currently being tested by the USPS for electronic distribution of postage stamps. The company marketed its iButton products for other non-crypto uses starting in 1991. A list of current implemented and pilot projects using the product to simply store and process data around the world is at: http://www.iButton.com/showcase.html. This includes the mass-transit system in Turkey, bus passes in China, vending machines in Canada, parking meters in Brazil and Argentina, and buying gas in Mexico and Moscow. Richard Hornbeck www.primenet.com/~hornbeck --- end forwarded text ----------------- Robert A. Hettinga <mailto: rah@philodox.com> Philodox Financial Technology Evangelism <http://www.philodox.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'