USB Key Security Vulnerability

Source: Internet
Author: User

1. As long as the digital certificate and private key are stored in the computer media or may be read into the memory, it is not safe. For example, the hard-disk Digital Certificate of China Merchants Bank is insecure. Because its private key and digital certificate have been TrojansProgramPossible theft.

2. The security of the USB key lies in that the private key cannot be exported. The encryption and decryption operations are completed using the CPU in the key and require pin verification.

3. A basic authentication system should include three parts: client (using USB Key), server, and digital authentication center (CA). If CA is not used, the client key can also be used for authentication. The server generates random numbers for impact/response authentication.

However, USB keys are not absolutely secure at present. Currently, there are two major security vulnerabilities in USB keys that are widely used:

1. An interactive operation vulnerability exists. Hackers can remotely control and impersonate the customer's USB key for identity authentication, which is unknown to the customer.

The solution to this vulnerability is to add a validation key on the USB key. You can press the validation key on the USB key before performing authentication.

2. Data tampering cannot be prevented. A customer's transaction may be intercepted by hackers and tampered with as another transaction before being sent to the USB key for encryption. This allows the customer to tamper with the transaction without the user's knowledge and pass the authentication.

To solve this vulnerability, you also need to change the USB key hardware by adding a display on the USB key to display transaction information and numbers.

This is actually the same as I used to imagine. I once thought of combining a USB key and a dynamic password lock to produce a safer USB key, the cost will be doubled, which means both the fish and the bear's paw cannot be used.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.