Firewall Wizards mailing list archives
Re: Hardware tokens for remote access authentication
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sat, 10 Jul 2004 11:40:50 -0400
Vin McLellan wrote:
RSA's SecurID patents are broader than that. If they weren't, we'd be choosing from an array of time-synch tokens from China today. (I think there are seven different US patents, with foreign counterparts, on aspects of the SecurID design. The earliest of them runs out next year, but you'd a cautious lawyer to consider the scope of all the rest of them before anyone followed Marcus' advice for home-brew time-synch;-)
We all know how the patent game is played, Vin. :( I'm not going to wade through SDI's patent filings and try to make sense of them, but I'd betcha a stack of donuts there's lots of prior art on the concept of keys that are valid in time and that's all we're talking about, here. Saving and managing time-skew is Napoleonic-era naval navigation. I'm just jerking your chain here, of course, because we both know that a patent, once granted, is a legal club to use even if there IS widely published prior art. And it doesn't matter one whit whether the patents are actually innovative if you have lawyers you can use to threaten with. *sigh*
In 1998, even Marcus' FWTK and the TIS Gauntlet were found to have a flawed random-number generator, which threatened the integrity of those C/R authenticators which had relied upon it.)
This may strike you as surprising, but I've never heard of such a thing. Can you post a reference?? Random numbers used for challenge-response do not need to be cryptographically strong, for practical purposes, if the challenge is attached to a unique stream. There's a theoretical attack, I suppose, where you could figure out what the next challenge would be, but you'd still need the correct response within the life of the system. Since the auth server would lock an account after failed attempts, you'd need some fancy theoretical footwork to pull off an attack. Did anyone ever actually do it? That's the question! To Vin's FUD about how hard it is to get it right: that's just utter bull byproduct. In truth, authentication systems (especially token based ones) don't get attacked in practice. Because they are a pain in the a** and because it's easier to just break some sucker's account who is still using a password. It's like the old joke about the 2 guys trying to outrun a bear that's chasing them, "I don't need to outrun the bear; I just need to outrun YOU." mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Hardware tokens for remote access authentication Bill Kyle (Jul 08)
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 08)
- Message not available
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Re: Hardware tokens for remote access authentication Vin McLellan (Jul 13)
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Re: Hardware tokens for remote access authentication Vin McLellan (Jul 13)
- Re: Hardware tokens for remote access authentication ArkanoiD (Jul 15)
- Re: Hardware tokens for remote access authentication ArkanoiD (Jul 15)
- Message not available
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 08)
- <Possible follow-ups>
- RE: Hardware tokens for remote access authentication Woeltje, Don (Jul 10)
- Message not available
- RE: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Message not available