Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:19
John Moore (jmoore@speedchoice.com)
Thu, 1 Oct 1998 16:16:10 -0700
> From: Perry E. Metzger [mailto:perry@piermont.com]
>
> Since the cost of a secure ID system is no lower than that of fully
> encrypting the link, and in fact (given the fact that the cards self
> destruct and have to be replaced at high cost) often cost
> significantly more, why bother with half measures? Sure, there are
> ways to break a crypto system, but if you are bothering with any
> security why not do something both cheaper and better?
SecurID is used to authenticate users. Encryption is used to hide
information and prevent it from being modified. Thus they have different
uses IMHO. Just because one uses SecurID does not mean one doesn't use
encryption. And likewise, encryption without some form of two fact
authentication is not sufficient to properly identify the human involved.
One could argue that the pass phrase used to open a certificate is two fact,
but I don't think it is the same thing. A time variant token authenticates
that the individual making the access has physical possession of the only
copy of that device in the universe. An added password (or PIN as Security
Dynamics calls it) authenticates that the individual making the access has
secret knowledge associated with that device. From a human factors
viewpoint, encryption is no better than passwords as a form of
authentication. It is too convenient to give someone a password, write it on
a post-it note, etc.
So it seems to me that a combination of encryption and authentication need
to be used.
But... I am looking for other ways to think about it or I wouldn't have
posted... so please don't take this as my final, unalterable opinion!
John
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:19