Bugtraq mailing list archives
Re: Re: Digipass Go3 Token Dumper (at least for 2006)
From: fcollyer () gmail com
Date: 25 Nov 2006 15:02:00 -0000
Thanks Hugo! http://www.securityfocus.com/bid/21040 says: "(...)Digipass Go3 is prone to an insecure-encryption vulnerability because the device uses an insecure single-key encryption algorithm (...)" That is not the case. The C++ implementation that I've provided shows exactly the _opposite_! Its core is 3DES_112(2 64 DES keys used) based. I believe this was I misunderstanding from the list's guys. Nothing to worry seriously about. I'm glad we have VASCO's clarification. And it seems to me that now the community is really free to analyze the truncation/decimalization side of Digipass. Is it secure? Is it the best VASCO could've come with? And the key derivation process?... Best regards, Felipe Collyer (a.k.a. faypou)
Current thread:
- Digipass Go3 Token Dumper (at least for 2006) fcollyer (Nov 13)
- Re: Digipass Go3 Token Dumper (at least for 2006) Hugo van der Kooij (Nov 24)
- <Possible follow-ups>
- Re: Re: Digipass Go3 Token Dumper (at least for 2006) fcollyer (Nov 25)