USB Key Security Vulnerability

1. As long as the digital certificate and private key are stored in the computer media or may be read into the memory, it is not safe. For example, the hard-disk Digital Certificate of China Merchants Bank is insecure. Because its private key and digital certificate have been TrojansProgramPossible theft.

2. The security of the USB key lies in that the private key cannot be exported. The encryption and decryption operations are completed using the CPU in the key and require pin verification.

3. A basic authentication system should include three parts: client (using USB Key), server, and digital authentication center (CA). If CA is not used, the client key can also be used for authentication. The server generates random numbers for impact/response authentication.

However, USB keys are not absolutely secure at present. Currently, there are two major security vulnerabilities in USB keys that are widely used:

1. An interactive operation vulnerability exists. Hackers can remotely control and impersonate the customer's USB key for identity authentication, which is unknown to the customer.

The solution to this vulnerability is to add a validation key on the USB key. You can press the validation key on the USB key before performing authentication.

2. Data tampering cannot be prevented. A customer's transaction may be intercepted by hackers and tampered with as another transaction before being sent to the USB key for encryption. This allows the customer to tamper with the transaction without the user's knowledge and pass the authentication.

To solve this vulnerability, you also need to change the USB key hardware by adding a display on the USB key to display transaction information and numbers.

This is actually the same as I used to imagine. I once thought of combining a USB key and a dynamic password lock to produce a safer USB key, the cost will be doubled, which means both the fish and the bear's paw cannot be used.