Re: Cryptanalysis of SecurID (ACE/Server)

Marcus Watts (mdw@umich.edu)
Thu, 01 Oct 98 20:03:48 -0400

• Next message: Matt Blaze: "Re: Cryptanalysis of SecurID (ACE/Server)"
• Previous message: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• In reply to: Perry E. Metzger: "Re: Cryptanalysis of SecurID (ACE/Server)"
• Next in thread: Adam Shostack: "Re: Cryptanalysis of SecurID (ACE/Server)"
• Reply: Adam Shostack: "Re: Cryptanalysis of SecurID (ACE/Server)"

Perry sent:
>
> > One could argue that the pass phrase used to open a certificate is two fact,
> > but I don't think it is the same thing. A time variant token authenticates
> > that the individual making the access has physical possession of the only
> > copy of that device in the universe.
>
> Okay. So, we've changed the problem from stealing the laptop to
> stealing the token in the guy's wallet. Could you explain why this is
> better in some way?

I think SecureID is usually used to replace password systems, not
laptops. It does seem to me, though, that the token in the wallet
isn't liable to contain any other valuable data, and is likely to
be easier to invalidate and replace if stolen. It's probably also
more rugged and much lighter in weight, so more likely to actually
live in the wallet than (for instance) carry-on luggage.

                                -Marcus Watts
                                UM ITD PD&D Umich Systems Group

• Next message: Matt Blaze: "Re: Cryptanalysis of SecurID (ACE/Server)"
• Previous message: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• In reply to: Perry E. Metzger: "Re: Cryptanalysis of SecurID (ACE/Server)"
• Next in thread: Adam Shostack: "Re: Cryptanalysis of SecurID (ACE/Server)"
• Reply: Adam Shostack: "Re: Cryptanalysis of SecurID (ACE/Server)"