Design question

Iliya Peregoudov iperegudov at cboss.ru
Sat Feb 4 07:51:15 CET 2012 

When private key corresponding to digital certificate is stored on 
computer's hard disk it is not stored securely. The only way to store 
private key securely is using smart card.

Private key is stored on smart card in a way that it cannot be read. 
Computer send data to the smart card and smart card will perform 
cryptography with stored private key and send result to the computer. So 
the private key is never transported outside smart card.

You can connect a smart card to each computer. There are USB smart card 
readers. To avoid smart card theft you can connect reader to mother 
board internal usb header and mount smart card reader inside the 
computer case. You also need to protect each computer case with 
electromechanical (solenoid) lock.

There are motherboards with integrated cryptographic processor (so named 
trusted platform module). I think TPM should provide features similar to 
smart card. But I don't have one and I'm not sure.

-- Iliya Peregoudov

Dan Letkeman wrote:
> Ok, so there are two problems with these scenarios in our environment.
>  We do not run AD, we run eEdirectory, and the computers are not
> assgined to the users, they are all shared computer labs. This is why
> having separate certs for each machine is impossible as we would have
> to go around and install each cert manually on each machine.  I think
> I am stuck with using at best using the same cert for each computer
> lab.
> 
> I think that would make more sense.
> 
> Dan.
> 
> On Fri, Feb 3, 2012 at 7:33 AM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
>> Hi,
>>
>>> Personally we (plan to) use PEAP/MS-CHAP, and check the machine account
>>> against AD using ntlm_auth.
>> this is what we do for machine authentication (wired/wireless)
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6269 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120204/9c6f8350/attachment.bin>

More information about the Freeradius-Users mailing list