Re: Cryptanalysis of SecurID (ACE/Server)

Adam Shostack (adam@homeport.org)
Tue, 6 Oct 1998 06:44:29 -0400

• Next message: Mok-Kong Shen: "Re: Jaws Technologies: Snake Oil?"
• Previous message: Adam Shostack: "Re: Jaws Technologies: Snake Oil?"
• In reply to: Mok-Kong Shen: "Re: Jaws Technologies: Snake Oil?"

On Tue, Oct 06, 1998 at 09:15:35AM +1000, Greg Rose wrote:
| At 17:41 5/10/98 -0400, Marcus Watts wrote:
| >Hm. So much for theory. Surely they're more rugged than
| >laptops though?
|
| Yeah, when I put the laptop in my wallet, they *both* broke.

You clearly need a smaller laptop. :)

Qualcomm's analysis of why to use SecurId is a solid one, although I
personally prefer to use challenge response tokens over time based
ones, and I prefer units where I can set the key. To be fair to SDI,
most of my reasons for wanting CR over time are moot in an encrypted
environment, and the clock drift per card is substantial enough that
its effectively re-keying after it leaves the factory.

Adam

| Sorry, couldn't resist. Seriously though, I carry my old format secureID
| card with my business cards, and have no problem. Sitting on them breaks
| them though.
|
| The newer ones are in the form of a keyfob, and are apparently more robust
| (but you wouldn't want to sit on them either).
|
| We (QUALCOMM) use SecureID tokens to authenticate to SSH for the only
| opening in the firewall. The reason we do this is that unsophisticated
| users often fail to set passwords on their SSH keys on their laptops, and
| laptops are a target for theft in their own right, so it is just too big a
| security exposure. The security administrators have no control over the
| existence or quality of a password which exists only on the laptop, but
| they do have control over the "PIN" (really a password) which goes with the
| SecureID token. So needing the token to authenticate SSH means that the
| session is still protected, as Perry requires, and stealing the laptop
| doesn't by itself breach the perimeter. You can use SSH from an untrusted
| machine (which you shouldn't do with RSA authentication), and still not
| allow future connections.
|
| Greg.
|
| Greg Rose INTERNET: ggr@Qualcomm.com
| Qualcomm Australia VOICE: +61-2-9181-4851 FAX: +61-2-9181-5470
| Suite 410, Birkenhead Point, http://people.qualcomm.com/ggr/
| Drummoyne NSW 2047 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Next message: Mok-Kong Shen: "Re: Jaws Technologies: Snake Oil?"
• Previous message: Adam Shostack: "Re: Jaws Technologies: Snake Oil?"
• In reply to: Mok-Kong Shen: "Re: Jaws Technologies: Snake Oil?"