Re: ArcotSign (was Re: Does security depend on hardware?)

Bruce Schneier (schneier@counterpane.com)
Mon, 21 Sep 1998 05:26:40 -0500

• Next message: Todd S. Glassey: "RE: ArcotSign (was Re: Does security depend on hardware?)"
• Previous message: Adam Shostack: "Re: ArcotSign (was Re: Does security depend on hardware?)"
• In reply to: Lucky Green: "Re: ArcotSign (was Re: Does security depend on hardware?)"
• Next in thread: Todd S. Glassey: "RE: ArcotSign (was Re: Does security depend on hardware?)"
• Reply: Todd S. Glassey: "RE: ArcotSign (was Re: Does security depend on hardware?)"
• Reply: bram: "Re: ArcotSign (was Re: Does security depend on hardware?)"
• Reply: Douglas Hoover: "Re: ArcotSign (was Re: Does security depend on hardware?)"

At 06:27 AM 9/21/98 -0400, Adam Shostack wrote:
>On Sun, Sep 20, 1998 at 06:45:06PM +0200, Lucky Green wrote:
>| On Sat, 19 Sep 1998, Ryan Lackey wrote:
>|
>| >
>| > [from a discussion of tamper-resistant hardware for payment systems
>| > on dbs@philodox.com, a mailing list dedicated to digital bearer systems,
>
>| o ArcotSignTM technology is a breakthrough that offers smart card tamper
>| resistance in software. Arcot is unique in this regard, and WebFort is the
>| only software-only web access control solution on the market that offers
>| smart card security, with software convenience and cost. [We have now
>| entered deep snake oil territory. Claims that software affords tamper
>| resistance comparable to hardware tokens are either based in dishonesty or
>| levels of incompetence in league with "just as secure pseudo-ontime
>| pads"].
>|
>| In summary, based on the technical information provided by Arcot System,
>| the product is a software based authentication system using software based
>| client certificates.
>
> I have no knowledge of Arcot's systems and can't comment on
>them. Hoever, there are ways to make software hard o disassmeble
>and/or tamper with. Given that Arcot is probably going to attack
>smartcards as being easily attacked, 'smartcard level' security is not
>that high a target, the claim may not be so outlandish.

They're not looking to do tamperproof software. Their business model can
be best described as: "better than passwords, cheaper than SecurID."

Here's the basic idea: Strew a million passwords on your hard drive, and
make it impossible to verify which is the correct one offline. So, someone
who steals the password file off the client cannot run a cracking tool
against the file.

> Be intestesting to see how fast the code is. If they're
>embedding certs in complex code that needs to run to sign, then theft
>of the cert may be difficult.

It isn't bad.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
           Free crypto newsletter. See: http://www.counterpane.com

• Next message: Todd S. Glassey: "RE: ArcotSign (was Re: Does security depend on hardware?)"
• Previous message: Adam Shostack: "Re: ArcotSign (was Re: Does security depend on hardware?)"
• In reply to: Lucky Green: "Re: ArcotSign (was Re: Does security depend on hardware?)"
• Next in thread: Todd S. Glassey: "RE: ArcotSign (was Re: Does security depend on hardware?)"
• Reply: Todd S. Glassey: "RE: ArcotSign (was Re: Does security depend on hardware?)"
• Reply: bram: "Re: ArcotSign (was Re: Does security depend on hardware?)"
• Reply: Douglas Hoover: "Re: ArcotSign (was Re: Does security depend on hardware?)"