Re: Token based OTP: SafeWord or SecurID?

[Tommy Ward <tommy () securify com>]

As far as the algorithm, it is patented, and it is implemented in several
software products, including the ACE/Server and the software version of
the token.  That means it is not really very secret....

What makes me wonder more about the "secret technology" involved in this
case is the deduced limitation on the crypto used.  If you think about the
hardware based SecurID card having up to a 4 year battery life, and the most
basic version displays a new OTP every 60 seconds whether you need it or
not, there can't be a very large number of clock cycles involved in computing
the OTP.   By comparison, we used to see about a 2 year battery life on
the old SNK token, which used an 8-bit processor to perform a single DES
computation to generate its OTP, and only did so when you need a new
OTP to authenticate with.

I would guess that a brute force analysis should be able to compromise
any given SecurID account in a short period of time.  If you had only a
few samples of plain text (the time of day) and cypher
text (the OTP), this should be a computationally easy task.

If you can pry it out of him, Mudge did enough work on this in about
1995 to prepare a paper on the subject, but he got "persuaded" not to
release it.

....Tommy


At 02:24 PM 11/17/2000 +0300, ark () eltex ru wrote:

> nuqneH,
>
> BTW - did anyone try to reverse-engineer SecurID to find what algorithms are
> inside there? I wonder why does it require hardware server if the only
> requirement is accurate clock and software token does exist..
>
> I'd prefer to know what is inside that thingies. My genreal policy is to 
> avoid
> "secret technologies".
>                                      _     _  _  _  _      _  _


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards