[alexander]

Quote:

Gates declares death of passwords
New Microsoft ID passes make .Net centre of world

By Guy Kewney, Techworld

Bill Gates has made .Net the way into Microsoft - literally. Smart cards from Axalto have been commissioned as ID passes for all employees around the world, and the cards will be used to gain access to the buildings, as well as to get into software.

"The move towards smart cards is the way forward," said Gates in his keynote at IT Forum, in Copenhagen this morning. "The idea is to have a smart card that connects up in the best way - a .Net based smart card."

Microsoft partner Axalto "has done a super job on this", said Gates. "We will be using their smartcards internally - each employee will use those to get in and out of the buildings as we used to connect to our machines. We're requring them. We will completely replace passwords."

By having .Net capability, said Gates, "we think this brings different logic down to the card itself, giving a richness and continuity to the platform that only exists in that .Net environment." Axalto said this was the first commercial deployment of Axalto’s .Net-based smart cards.

The Cryptoflex .Net powered smart card "is a secure, ultra-miniature personal computing technology that runs a small footprint version of the .Net Framework", said Axalto. The .Net-based smart card provides customisable two-factor authentication as well as full cryptographic capabilities, seamlessly via the standard Microsoft .Net programming tools and interfaces. Microsoft marks the first enterprise deployment of the .Net-based smart card.

According to Charles Fitzgerald, general manager of platform strategy at Microsoft, these cards are based on the ECMA standards, and now form the core Microsoft .Net technologies

Axalto VP Marvin Tansley said: "The best approach to Network access security is to add a microprocessor card into the authentication process. Supporting Microsoft .Net is a natural extension of Axalto’s commitment to innovation around industry standards which enable secure access for many with varied identity management solutions."

The timescale is due to be short: tens of thousands of Microsoft employees worldwide already carry a corporate access badge that secures Microsoft computer systems and facilities. The Axalto Cryptoflex .Net powered smart card to its employees will be universal for secure remote Network access in 2005.

According to Axalto's official announcement, Microsoft's selected .Net-based cards are smart IDs that support both physical and logical access on one smart card. A contactless (RFID) feature embedded in the card provides the physical access to buildings and offices.

"The logical access control is provided via a microprocessor contact smart card with specialized security features, large memory for application storage, and implements Microsoft .Net," said the company.

The implementation includes a MSIL (Microsoft Intermediate Language) interpreter, application programming interfaces (system libraries needed for execution and smart card specific libraries for communication and security), and a converter that turns a CLI (common language infrastructure) compliant binary into a binary file for loading onto the smart card.

A set of relevant ECMA specifications and a comprehensive test suite that verifies compliance with the specs completes the package.

from Techworld.com

Quote:

we think this brings different logic down to the card itself, giving a richness and continuity to the platform that only exists in that .Net environment

lol, i had a good time laughing at this one, richness and continuity (uninterrupted duration or continuation especially without essential change)

So what happens when your smart-card crashes?

[IrishEyes]

I'm not sure I understand what this is saying.

I understand the concept of a smart-card, I think. Credit card sized, with an info strip embedded that has personal data on it, that can be swiped by a reader or used as a proximity badge in a SCIF-type environment, right? I guess I'm not seeing how this card will replace passwords on a computer. If the card gets lost, or left next to your 10-year-olds magnet set, wouldn't it be useless?

Sorry, I know I probably seem like a total idiot, but this sounds very interesting to me and I'd like to understand it better. Thanks for sharing this info, alexander!

[Freethinker]

Smart Cards are more involved than the mag swipe type cards. The data is stored on a chip encapsulated into the card. They are not used much in the US, but are very common in the rest of the world. The amount of data that can be stored on Smart Cards is growing quickly (like all such technologies)

Swipe cards store just user ID info and once swiped on a machine, it connects to a remote server for all data and transactions.

A Smart Card can actually store data and do transactions in itself. e.g. a dollar amount can be loaded into the card and when spent, the running total is kept on the card. Where regular swipe cards, all the requests and cash movement is done at some remote server.

Smart Cards took off in Europe because the crooks there were more clever. By taking a card writer, an exact copy can be made of a swipe card on the spot. That's what they were doing in Europe, but not in the US. In the US fraud was usually just manually copying the card number or stealing the card itself. So there was not the incentive to invest in the additional card reader technology in the US.

[Aki]

I'm always fascinated with those magnet swipe card. Here, the bus tickets is a card made out of card-board with a thin magnetic strip along the side, I've always wondered how stuff could be stored in there.

[Tormod]

Like FT says, they are common over here. In Sweden they use them on local buses, at least in some cities.

I Norway we use them for ATM cards and I have one for online betting (!).

[IrishEyes]

Quote:

Smart Cards took off in Europe because the crooks there were more clever. By taking a card writer, an exact copy can be made of a swipe card on the spot. That's what they were doing in Europe, but not in the US. In the US fraud was usually just manually copying the card number or stealing the card itself. So there was not the incentive to invest in the additional card reader technology in the US.

Ok, I understand the difference between the smart card and a swipe card. But I'm still not seeing the correlation between that and how this technology would replace passwords. If someone steals/you lose your smart card, what stops another person from stealing your identity, including accessing your computer? It seems that this would be less secure, rather than more. On the convenience/lazy side, it would seem ok, but overall, security included, it doesn't seem very...smart.

[Freethinker]

Quote:

Originally posted by: Aki
I'm always fascinated with those magnet swipe card. Here, the bus tickets is a card made out of card-board with a thin magnetic strip along the side, I've always wondered how stuff could be stored in there.

It's just like taping a length of mag tape from a cassette (remember those things used in car stereo's before CD's took over?). Data is stored in the exact same method. And yes the amount of data is extremely limited.

[Freethinker]

Quote:

Originally posted by: IrishEyes
But I'm still not seeing the correlation between that and how this technology would replace passwords.

It would just be acting as a storage and communications media. The passwords would be stored on the card and retrieved using one of the communications methods used or being developed. Such as some RFID that could read the data without need for physical contact.

Quote:

If someone steals/you lose your smart card, what stops another person from stealing your identity, including accessing your computer? It seems that this would be less secure, rather than more. On the convenience/lazy side, it would seem ok, but overall, security included, it doesn't seem very...smart.

Since human interaction is not needed (having to remember and key in your PW), the internal security can be higher. Intercepting PW's by watching or listening in or key stroke capture or ... with manual human interaction systems is far easier. But yes it would still be possible to crack a Smart Card.

[alexander]

Quote:

But yes it would still be possible to crack a Smart Card.

But then its possible to crack everything (the only protection that hasnt been broken through code is the write protection on the floppy disk), its not the matter of possibility, its a matter of how long it would take to do so, and even then there are always exceptions...
For example password hashes, they are supposed to take days to decrypt with about 80% chance of actually doing it right and getting the right info, yet (and this was on slashdot last week i think) there is a guy who made a library of hashes, and now you can go on his website paste in a hash (there are some parameters with length and exclusion of characters) and within seconds you can get your hash translated for you.

[Freethinker]

Reveal asterisk password with one click. No need to install and uninstall. Drag the cursor over the hidden asterisk password to reveal it. Easy way to recover password.

http://www.visual-mp3.com/review/17384.html

Asterisk Password allows you to view passwords hidden with asterisks in password fields (including Multilingual and Unicode ones).
Asterisk Password uncovers hidden passwords in password dialog boxes, web pages and ActiveX controls. Another great feature of this program is the ability to display Protected Storage content. For example Outlook Express and Internet Explorer keep passwords in P.S.
Program works with MS Windows 95, NT, 98, 2000, XP, 2003.
This is very powerful tool to sysadmins security officers and all who have problems with lost or forgotten passwords.

http://www.gold-software.com/download6936.html

Password Spectator™ Pro

This great software lets you "see" what is behind the asterisks, so you can see your actual password when you need it.

http://www.refog.com/passwordrecovery/