Bugtraq mailing list archives
Re: swc / ActivCard
From: Steve VanDevender <stevev () HEXADECIMAL UOREGON EDU>
Date: Wed, 23 Aug 2000 09:41:41 -0700
Vin McLellan writes:
Michal Zalewski <lcamtuf () DIONE IDS PL>, who initiated this discussion, replied:To make everything clear - as I noticed, I just wanted to start a discussion and futher investigation of this ActivCard One synchronous token issue. None of my statements cannot be threated as true without checking it independently (what I saild clearly, as well, because I was using only a few sources of input data for my analysis and it's quite possible I've made bad assumptions somewhere). Sadly, some people (both from ActivCard representatives and not related to this company), didn't understand the nature of my post - and I guess it can be only a bad will, because I stated it clearly, _twice_.With due respect, Mr. Z, when you claim to have developed a method which allows you to predict-- within 100 guesses, one-third of the time -- the *next* tokencode from a specific ActivCard two-factor authentication token, you are not just asking for a collegial statistical review of an ActivCard's tokencode output. Whatever waffling qualifications you placed around that claim, you declared an achievement which implied that those institutions -- a large portion of them European banks -- which use ActivCard to secure network access, and enable commercial funds transfers, have placed themselves, their customers, and probably billions of zloty, at risk.
Either ActivCard provides some kind of useful security, or it does not. It is possible that the apparent patterns in ActivCard tokens are intentional and that these do not reduce its security. However, the only way ActivCard can meaningfully convince customers that their system is secure is to describe in detail how it works so that it can be properly cryptanalyzed and so that customers can understand how to best protect security with ActivCard. If the apparent security provided by ActivCard is merely the result of most people not knowing how the tokens are generated, and if the method that ActivCard uses is flawed, then ActivCard has placed their own customers at risk, and attacking those who might reverse-engineer that flawed method is not going to fix that problem. I think there is good reason to be suspicious if ActivCard tokens show apparent patterns, when so many other proprietary security systems and cryptographic implementations have had serious flaws.
Current thread:
- swc / ActivCard Michal Zalewski (Aug 18)
- Re: swc / ActivCard Alan DeKok (Aug 18)
- Re: swc / ActivCard John Fulmer (Aug 21)
- Re: swc / ActivCard Alan DeKok (Aug 21)
- Re: swc / ActivCard Michal Zalewski (Aug 21)
- Re: swc / ActivCard Vin McLellan (Aug 23)
- Re: swc / ActivCard Michal Zalewski (Aug 23)
- Re: swc / ActivCard Alan DeKok (Aug 25)
- Re: swc / ActivCard Michal Zalewski (Aug 25)
- Re: swc / ActivCard Michal Zalewski (Aug 25)
- Re: swc / ActivCard Alan DeKok (Aug 18)
- Re: swc / ActivCard Steve VanDevender (Aug 25)
- <Possible follow-ups>
- Re: swc / ActivCard Vasilios Katos (Aug 18)