Re: Key Storage on Machines

New Message Reply About this list Date view Thread view Subject view Author view

Pat Farrell (pfarrell@netcom.com)
Sat, 22 Aug 1998 17:43:29 -0400


At 10:17 AM 8/22/98 +1000, Hafeez Bana wrote:
>1) I have just been going through an old issue of BYTE magazine and it
>describes the CyberCash Cybercoin protocol.

I don't have access to an archive of old Byte's, but I do know
a bit about CyberCash's protocols....

>It describes that this method
>uses Secret Keys that are issued to a user when he signs up - which are
>used in hash value computations in subsequent transactions.My Questionis
> - If the keys are stored on the user machines.How do they (cyber
> cash) make sure that a malicious program that the user has
> installed will not gain access to the keys

I'm not sure what you are aiming at with this question.

The CyberCash classic wallet implements many protocols,
including one for the CyberCoin(tm) service. I see two possible
questions here, one on how the classic wallet stores long term
local keys, and the other on how the CyberCoin protocols use
short term keys.

For the first, you are really asking a question about trust.
How does the user trust that his computer is doing what he wants?
(i.e. doesn't contain "a malicious program")
I know of no way for any company or third party to tell if a
consumer's computer is reliable or not -- it is entirely up
to the consumer. With currently popular consumer operating systems,
it is pretty easy for "a malicious program" to cause all sorts of
mischief. In the CyberCash classic wallet, the consumer's valuable data
is stored enciphered (using "industrial strength cryptography") on
the consumer's computer's local hard disk, under a key
derived from a cryptographically strong hash of user entered data.
If the consumer doesn't trust his own computer, he should not
be entering valuable data or storing RSA private keys on it.

The CyberCoin protocol's session keys are fairly short lived.
They expire in hours, and are not stored in long term
storage by the wallet. The session keys are typically used
to decipher content (electronic goods) that have already
been delivered to the consumer's computer, so "stealing" these
keys is unlikely, they are not a very attractive target.

Hope this helps.

Of course, this past week, CyberCash announced a lightweight, Java-based
wallet that will eventually replace their classic Wallet. For the
appropriate PR, check out http://www.cybercash.com/cybercash/company/news/releases/1998/98august19aw.html

Pat


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:11:00