Firewall Wizards mailing list archives
Re: Token based OTP: SafeWord or SecurID?
From: Tommy Ward <tommy () securify com>
Date: Tue, 21 Nov 2000 15:48:01 -0800
As far as the algorithm, it is patented, and it is implemented in several software products, including the ACE/Server and the software version of the token. That means it is not really very secret.... What makes me wonder more about the "secret technology" involved in this case is the deduced limitation on the crypto used. If you think about the hardware based SecurID card having up to a 4 year battery life, and the most basic version displays a new OTP every 60 seconds whether you need it or not, there can't be a very large number of clock cycles involved in computing the OTP. By comparison, we used to see about a 2 year battery life on the old SNK token, which used an 8-bit processor to perform a single DES computation to generate its OTP, and only did so when you need a new OTP to authenticate with. I would guess that a brute force analysis should be able to compromise any given SecurID account in a short period of time. If you had only a few samples of plain text (the time of day) and cypher text (the OTP), this should be a computationally easy task. If you can pry it out of him, Mudge did enough work on this in about 1995 to prepare a paper on the subject, but he got "persuaded" not to release it. ....Tommy At 02:24 PM 11/17/2000 +0300, ark () eltex ru wrote:
nuqneH, BTW - did anyone try to reverse-engineer SecurID to find what algorithms are inside there? I wonder why does it require hardware server if the only requirement is accurate clock and software token does exist..I'd prefer to know what is inside that thingies. My genreal policy is to avoid"secret technologies". _ _ _ _ _ _ _
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Token based OTP: SafeWord or SecurID? Stephen Legge (Nov 17)
- <Possible follow-ups>
- Re: Token based OTP: SafeWord or SecurID? ark (Nov 18)
- Re: Token based OTP: SafeWord or SecurID? Tommy Ward (Nov 23)
- Re: Token based OTP: SafeWord or SecurID? Steven M. Bellovin (Nov 24)
- RE: Token based OTP: SafeWord or SecurID? Ben Nagy (Nov 24)
- RE: Token based OTP: SafeWord or SecurID? John Adams (Nov 26)
- RE: Token based OTP: SafeWord or SecurID? Ben Nagy (Nov 28)