Firewall Wizards mailing list archives
RE: Token based OTP: SafeWord or SecurID?
From: John Adams <jna () retina net>
Date: Fri, 24 Nov 2000 17:22:36 -0500 (EST)
On Thu, 23 Nov 2000, Ben Nagy wrote:
-----Original Message----- From: Tommy Ward [mailto:tommy () securify com]
As far as the algorithm, it is patented, and it is > implemented inseveral > software products, including the ACE/Server and the softwareversion of > the token. That means it is not really very secret....Indeed. I've heard from several different sources that you can request to eval the algorithm under NDA - which lots of people have done.
There was a fair amount of papers and discussions surrounding SecurId around 1995/1996. Adam Shostack whote 'Apparent weaknesses in the Security Dynamics Client/Server Protocol', available at: http://www.homeport.org/~adam/dimacs.html It's pretty good, although without any knowledge of the protocol itself (as it's still private), most of the attempts in the paper are useless. Also, a serious bug (copied here from the 1996 paper) was patched in the hash algorithm: Security Dynamics was first notified of this bug in July 1996, when Mark Warner and Chris MacNeil told us that the bug had been found and fixed by adding the client secret key into the information hashed by F2, thus, wp=F2(IP, T, P, c). Details about when this happened were not provided. When we asked John Brainard about this in August, he suggested that the attack would work. Security Dynamics was notified about the planned publication of this paper in November. There's a ton of links on this at: http://www.securityportal.com/list-archive/firewalls/1999/May/0027.html --john -- J. Adams http://www.retina.net/~jna You are supposed to be a consumer, a black hole for goods, advertising and content. They only want to allocate enough upstream bandwidth for 10,000,000 buy buttons. Producing or sharing information is a subversive act and will not be tolerated. -anonymous coward on /. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Token based OTP: SafeWord or SecurID? Stephen Legge (Nov 17)
- <Possible follow-ups>
- Re: Token based OTP: SafeWord or SecurID? ark (Nov 18)
- Re: Token based OTP: SafeWord or SecurID? Tommy Ward (Nov 23)
- Re: Token based OTP: SafeWord or SecurID? Steven M. Bellovin (Nov 24)
- RE: Token based OTP: SafeWord or SecurID? Ben Nagy (Nov 24)
- RE: Token based OTP: SafeWord or SecurID? John Adams (Nov 26)
- RE: Token based OTP: SafeWord or SecurID? Ben Nagy (Nov 28)