tags:

views:

54

answers:

2
+4  Q: 

How can I use a USB key to secure my application?

Is using a USB key to secure an application the best option? If it isn't, what is the best way to secure an application in the form of requiring a valid user before the application can be used?

The reason I ask this question is that a client recently asked me to make an application require a specific USB device be inserted into the system before the app can be used or run. Basically, the application is a medical software and the client sees this method of security more trusted, as the app contains sensitive data of his paients. In that case of loss, I can tell the user how to generate another security key using the app in command line mode.

A: 

Your application could require a certificate, signed by you, to be present on a regular USB memory stick. The certificate could be locked with a password, that the user would have to enter. Certificates on stolen or lost thumbdrives could be revoked.

For a less homebrew solution, I'm sure there are commercial smart card based services you could use.

calmh  2010-08-27 13:13:05
+1  A: 

Not necessarily an answer to the question, but a point to be considered in response to the question and comments so far...

A USB key by itself is not going to be more secure than password-based authentication. It's still one-factor, it can be lost/stolen/etc. What the client probably actually wants, and either doesn't know it or hasn't properly articulated it, is multi-factor authentication. Consider these:

  1. Something you know (a password, answer to a question, etc.)
  2. Something you have (a USB key, time-limited key generating fob, etc.)
  3. Something you are (finger print, retina scan, etc.)

Most systems use only the first one. For added security, you add the second one. For Mission: Impossible style high-clearance security, throw in the third one. The idea is that any one factor can be forged, but adding new factors adds new dimensions of security which exponentially make it more difficult (rather than linearly more difficult when just replacing one factor with a "better" factor).

David  2010-08-27 13:14:40
A common example is a physical device (a USB key or smart card) that contains a security certificate. A PIN or password is used to decrypt said certificate. In order to compromise your system, the attacker would need the device containing the certificate plus the PIN or password.
Thomas Owens  2010-08-27 13:20:37
USB cryptotokens are two-factor as they require a PIN to be used. So lost/stolen case is still covered by the password.
Eugene Mayevski 'EldoS Corp  2010-08-27 13:55:15
@Eugene: Generally, yes. But that understanding didn't seem to be present in the question, and potentially not in the client. I figured I'd make the point of multi-factor authentication more explicit.
David  2010-08-27 14:21:21

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security