

Ask HN: Smartcards for encryption and signatures - beagle3

An application I develop for a customer requires users to authenticate themselves in a reasonably trustworthy and secure manner. The customer requested that each user be supplied with a hardware token that can be used to encrypt and sign content created by that user. Sounds like it should be easy to do ...<p>The only standard that seems to be helpful, however, is the PGPcard (which supports RSA and DSA up to 3K bits, but not e.g. ECDSA). Which is still great - except that there is exactly one vendor that can consistently supply the hardware (kernelconcepts.de), and one awesome newcomer - YubiKey NEO, that is less than 2 months old, and is going to spend at least three out of it's initial four months being out of stock. Prices for these are in the $30-$50 range, depending on quantities and configuration.<p>Is it my inadequate market research, or is smartcard adoption and availability for these purposes really so rare?<p>Note that I'm not looking for two-factor authentication or anything of the sort; I need to be in a situation that a signed or encrypted message conclusively proves custody of a portable unique token at the time, regardless of how malicious the phone network is, how malicious an involved system administrator is, or however many hidden cameras watch the user's screen and phone while they are busy authenticating. And I would be happier to not be dependent on a single supplier.<p>Thanks!
======
eduardordm
This is extremely simple, actually.

Just set your web server with SSL mutual authentication and require the client
certificate to be an A3 (smart card or usb token). You can even restrict the
CA or roll your own.

This is not rare, in fact, some countries require all companies to have at
least one A3 certificate. Using A3 certificates for authentication is
inherently a two-factor authentication, it can even be three if you require
password for the actual service.

~~~
beagle3
My question is on a different level completely:

Where do you actually get those tokens, at a reasonable price ($20-$40 each,
not the $100-$500 of RSA and friends) in the US? If I want my users to present
certificates like that, I expect them to be able to purchase them themselves.

Once they have the key, the exact procedure is less important (The app I'm
working on is not, in fact, a webapp, so I can do whatever I please. In fact,
I need the user to sign documents with their certificate, not just present
it).

