Re: Cryptanalysis of SecurID (ACE/Server)

Perry E. Metzger (perry@piermont.com)
Thu, 01 Oct 1998 19:26:56 -0400

• Next message: Perry E. Metzger: "Re: Cryptanalysis of SecurID (ACE/Server)"
• Previous message: Mike Stay: "[Fwd: Re: PGP and key storage.]"
• Next in thread: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Reply: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Reply: Marcus Watts: "Re: Cryptanalysis of SecurID (ACE/Server)"

"John Moore" writes:
> > From: Perry E. Metzger [mailto:perry@piermont.com]
> >
> > Since the cost of a secure ID system is no lower than that of fully
> > encrypting the link, and in fact (given the fact that the cards self
> > destruct and have to be replaced at high cost) often cost
> > significantly more, why bother with half measures? Sure, there are
> > ways to break a crypto system, but if you are bothering with any
> > security why not do something both cheaper and better?
>
> SecurID is used to authenticate users. Encryption is used to hide
> information and prevent it from being modified. Thus they have different
> uses IMHO.

Encryption technology has many uses. Although you may be unfamiliar
with the use of encryption for authentication, the developers of
technologies like IPSec and SSH do not seem to have been ignorant
of these techniques. MACs and digital signatures are hardly shocking
and unknown technologies.

> Just because one uses SecurID does not mean one doesn't use
> encryption.

If you already are paying for encryption software, what do you need
the (expensive) token for?

> And likewise, encryption without some form of two fact
> authentication is not sufficient to properly identify the human
> involved.

Huh?

The token isn't bonded to the person's skin. It is just as easily
stolen as anything else -- like their laptop with their (encrypted)
private key, say.

> One could argue that the pass phrase used to open a certificate is two fact,
> but I don't think it is the same thing. A time variant token authenticates
> that the individual making the access has physical possession of the only
> copy of that device in the universe.

Okay. So, we've changed the problem from stealing the laptop to
stealing the token in the guy's wallet. Could you explain why this is
better in some way?

Perry

• Next message: Perry E. Metzger: "Re: Cryptanalysis of SecurID (ACE/Server)"
• Previous message: Mike Stay: "[Fwd: Re: PGP and key storage.]"
• Next in thread: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Reply: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Reply: Marcus Watts: "Re: Cryptanalysis of SecurID (ACE/Server)"