Bugtraq mailing list archives

Re: swc / ActivCard

From: Steve VanDevender <stevev () HEXADECIMAL UOREGON EDU>
Date: Wed, 23 Aug 2000 09:41:41 -0700

Vin McLellan writes:

         Michal Zalewski <lcamtuf () DIONE IDS PL>, who initiated this
discussion, replied:

To make everything clear - as I noticed, I just wanted to start a
discussion and futher investigation of this ActivCard One synchronous
token issue. None of my statements cannot be threated as true without
checking it independently (what I saild clearly, as well, because I was
using only a few sources of input data for my analysis and it's quite
possible I've made bad assumptions somewhere). Sadly, some people (both
from ActivCard representatives and not related to this company), didn't
understand the nature of my post - and I guess it can be only a bad will,
because I stated it clearly, _twice_.


         With due respect, Mr. Z, when you claim to have developed a method
which allows you to predict-- within 100 guesses, one-third of the time --
the *next* tokencode from a specific ActivCard two-factor authentication
token, you are not just asking for a collegial statistical review of an
ActivCard's tokencode output.

         Whatever waffling qualifications you placed around that claim, you
declared an achievement which implied that those institutions -- a large
portion of them European banks -- which use ActivCard to secure network
access, and enable commercial funds transfers, have placed themselves,
their customers, and probably billions of zloty, at risk.


Either ActivCard provides some kind of useful security, or it does not.
It is possible that the apparent patterns in ActivCard tokens are
intentional and that these do not reduce its security.  However, the
only way ActivCard can meaningfully convince customers that their system
is secure is to describe in detail how it works so that it can be
properly cryptanalyzed and so that customers can understand how to best
protect security with ActivCard.  If the apparent security provided by
ActivCard is merely the result of most people not knowing how the tokens
are generated, and if the method that ActivCard uses is flawed, then
ActivCard has placed their own customers at risk, and attacking those
who might reverse-engineer that flawed method is not going to fix that
problem.

I think there is good reason to be suspicious if ActivCard tokens show
apparent patterns, when so many other proprietary security systems and
cryptographic implementations have had serious flaws.

Current thread:

swc / ActivCard Michal Zalewski (Aug 18)
- Re: swc / ActivCard Alan DeKok (Aug 18)
  - Re: swc / ActivCard John Fulmer (Aug 21)
  - Re: swc / ActivCard Alan DeKok (Aug 21)
    - Re: swc / ActivCard Michal Zalewski (Aug 21)
    - Re: swc / ActivCard Vin McLellan (Aug 23)
    - Re: swc / ActivCard Michal Zalewski (Aug 23)
    - Re: swc / ActivCard Alan DeKok (Aug 25)
    - Re: swc / ActivCard Michal Zalewski (Aug 25)
    - Re: swc / ActivCard Michal Zalewski (Aug 25)
    - Re: swc / ActivCard Steve VanDevender (Aug 25)
- Re: swc / ActivCard Ross Thompson (Aug 22)
- Re: swc / ActivCard Brian Kowal (Aug 25)
- Re: swc / ActivCard James Courtier-Dutton (Aug 25)
- <Possible follow-ups>
- Re: swc / ActivCard Vasilios Katos (Aug 18)