Re: Hardware tokens for remote access authentication

["Marcus J. Ranum" <mjr () ranum com>]

Vin McLellan wrote:
> RSA's SecurID patents are broader than that.  If they weren't, we'd be choosing from an array of time-synch tokens 
> from China today. (I think there are seven different US patents, with foreign counterparts, on aspects of the SecurID 
> design.  The earliest of them runs out next year, but you'd  a cautious lawyer to consider the scope of all the rest 
> of them before anyone followed Marcus' advice for home-brew time-synch;-) 

We all know how the patent game is played, Vin. :(

I'm not going to wade through SDI's patent filings and try to make sense
of them, but I'd betcha a stack of donuts there's lots of prior art on the
concept of keys that are valid in time and that's all we're talking about,
here. Saving and managing time-skew is Napoleonic-era naval navigation.
I'm just jerking your chain here, of course, because we both know that
a patent, once granted, is a legal club to use even if there IS widely
published prior art. And it doesn't matter one whit whether the patents
are actually innovative if you have lawyers you can use to threaten
with. *sigh*

> In 1998, even Marcus' FWTK and the TIS Gauntlet were found to have a flawed random-number generator, which threatened 
> the integrity of those C/R authenticators which had relied upon it.)

This may strike you as surprising, but I've never heard of such a thing.
Can you post a reference??

Random numbers used for challenge-response do not need to be
cryptographically strong, for practical purposes, if the challenge is
attached to a unique stream. There's a theoretical attack, I suppose,
where you could figure out what the next challenge would be, but you'd
still need the correct response within the life of the system. Since the
auth server would lock an account after failed attempts, you'd need
some fancy theoretical footwork to pull off an attack. Did anyone ever
actually do it? That's the question!

To Vin's FUD about how hard it is to get it right: that's just
utter bull byproduct. In truth, authentication systems (especially token
based ones) don't get attacked in practice. Because they are a pain
in the a** and because it's easier to just break some sucker's account
who is still using a password. It's like the old joke about the 2 guys
trying to outrun a bear that's chasing them, "I don't need to outrun
the bear; I just need to outrun YOU."

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards