Today participated in the flying integrity held a USB key identity authentication technology and application of the Conference, from the flying USB key and its application in the banking sector has some understanding, I used to have specifically analyzed the security of the USB key, this meeting makes me a more in-depth understanding of the USB key.
in the course of this study, I also have some new experience of USB key:
1, as long as the digital certificate and private key stored in the computer media, or may be read into memory, then it is not safe. For example, China Merchants Bank's hard disk version of the digital certificate is not safe. Because of its private key and digital certificates have been stolen by the Trojan horse program may be.
2, the security of the USB key is that the private key can not be exported, encryption and decryption operation with the CPU in the key to complete, the need for PIN code verification.
3, a basic certification system should include: the client (using USB Key), server, digital Certification center (CA) Three parts, if not the CA, can also client Key application certification, the server generated random number, impact/response certification.
However, USB key is not absolutely safe at present, the USB key is currently widely used, there are two major security vulnerabilities:
1, there are loopholes in the interaction operation. Hackers can remotely control, risk using the customer's USB key for identity authentication, and customers do not know.
The solution to this vulnerability is to add a confirmation key on the USB key, and the user can confirm the key on the USB key before making a certification.
2. Cannot prevent data from being tampered with. A client's transaction may be tampered with by a hacker's interception screen before it is encrypted into a USB key, so that it can tamper with the transaction without the user's knowledge and pass the certificate.
The solution of this loophole also needs to change the hardware of USB key, add a display screen on the USB key, can display the transaction information and the number.
This is actually the same as I had imagined, I have thought of the USB key and dynamic password lock into one, you can produce a more secure USB key, but in this case, the cost will be doubled, which is also the fish and bear paws can not be both.