Hacker News new | past | comments | ask | show | jobs | submit login

You give everyone smart cards/tokens with bruteforce-limited PINs on them. That's where the private key will reside.

The "only" other problem that will remain is that you will need a secure supply-chain, otherwise this will happen:

http://www.zdnet.com/article/id-card-security-spain-is-facin...

https://www.reuters.com/article/us-gemalto-cybercrime/hack-g...

If you do something like this you actually need to be serious about it and establish a rigorous vetting/auditing process -- not just hand the contract to whoever donated the most to your election campaign.

Maybe set-up a 3-year long NIST competition or something, like they do when choosing new crypto standards, and establish the winner this way.

The other side of the equation, allowing services to interface with these cards securely, is already being solved by the FIDO 2.0 spec.




...how do you get the private key off the card and into my future banks website when I apply for a credit card?


With smart cards (EMV, PIV, etc.), cryptographic functions executed on secret materials are usually handled on the card. The host sends the data to be encrypted or signed to the card, requests the card to process it, and then reads the encrypted results or signature. Often, there are no ways to get the chip to send the private key off of the device. Once the private key is generated or loaded onto the device, it can only be erased or written over.

Standards like FIDO and others allow for browsers and websites to utilize these cryptographic functions of smart cards in ways to handle website authentication. The technology exists for smartcards to handle authentication, it is simply a matter of us moving to this technology.


So I need a smart card reader?


That depends on the chosen smart card technology. Some smart cards are USB devices in themselves, such as YubiKeys or associated FIDO-certified devices. Otherwise, you may want or need a smart card reader to read cards in a similar format to what you see on chip-based credit cards.

USB smart card readers are fairly cheap. Many business-focused laptops have been available with smart card reader options for many years.


Yes, they are cheap though (~$10) and they sell keyboards with built in smart card readers.


Yes.


The same way you can currently do it with smartcards. When you insert your smartcard into the reader, it is being treated as a certificate. Most major browsers support this, I can vouch for Chrome and Firefox personally, as I use a smartcard for auth in them on a fairly regular basis.


Do you have any information on how you've set that up and which cards and readers you use? I've been thinking about playing around with a similar concept.


So then who manages the HSM infra? I feel like there few good choices but maybe someone like Neustar would be a good fit?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: