Re: ArcotSign (was Re: Does security depend on hardware?)

Lucky Green (shamrock@cypherpunks.to)
Sun, 20 Sep 1998 18:45:06 +0200 (CEST)

• Next message: Faszkala: "Copy and Paste HTML Code of over 500 movies to your Web Site for 100% free!"
• Previous message: Raph Levien: "Re: Repost in text: IDEA(tm) weakness"
• In reply to: Anonymous: "Repost in text: IDEA(tm) weakness"
• Next in thread: Adam Shostack: "Re: ArcotSign (was Re: Does security depend on hardware?)"
• Reply: Adam Shostack: "Re: ArcotSign (was Re: Does security depend on hardware?)"

On Sat, 19 Sep 1998, Ryan Lackey wrote:

>
> [from a discussion of tamper-resistant hardware for payment systems
> on dbs@philodox.com, a mailing list dedicated to digital bearer systems,
> where Scott Loftesness, of DigiCash and Arcot Systems, mentioned ArcotSign.]
>
> You mentioned the URL for Arcot, and I looked at the site. It seems
> rather lacking in technical details, and makes a very strong claim --
> that it can provide tamper resistance in software on a hardware/OS/etc.
> platform which is generally hostile (a general purpose computer).

>From the technical description of Arcot's WebFort technology at
http://www.arcot.com/WebFort1.htm, the product sets up an encrypted and
authenticated channel between the client and the server. You could use
standard SSL with client certs to achieve the same result.

What concerns me are the other outrageous claims made on the site:

o Conventional software solutions offering public key authentication, such
as those from Microsoft, Netscape, and Entrust are no stronger than
username/password mechanisms. [False. UID/PW's are subject to guessing.
Client certs are not].

o ArcotCard is a tamper resistant software only private key storage
system. [Anybody using the words "tamper resitant" to describe a software
based solution is incompetent at best].

o ArcotSignTM technology is a breakthrough that offers smart card tamper
resistance in software. Arcot is unique in this regard, and WebFort is the
only software-only web access control solution on the market that offers
smart card security, with software convenience and cost. [We have now
entered deep snake oil territory. Claims that software affords tamper
resistance comparable to hardware tokens are either based in dishonesty or
levels of incompetence in league with "just as secure pseudo-ontime
pads"].

In summary, based on the technical information provided by Arcot System,
the product is a software based authentication system using software based
client certificates.

-- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred.

• Next message: Faszkala: "Copy and Paste HTML Code of over 500 movies to your Web Site for 100% free!"
• Previous message: Raph Levien: "Re: Repost in text: IDEA(tm) weakness"
• In reply to: Anonymous: "Repost in text: IDEA(tm) weakness"
• Next in thread: Adam Shostack: "Re: ArcotSign (was Re: Does security depend on hardware?)"
• Reply: Adam Shostack: "Re: ArcotSign (was Re: Does security depend on hardware?)"