Re: Token based OTP: SafeWord or SecurID?

["Michael H. Warfield" <mhw () wittsend com>]

On Fri, Dec 08, 2000 at 06:41:15PM -0500, Vin McLellan wrote:
> Hi Ryan,

>       You are corrrect. If it were patented, it would be public and
> trade secret protection would no longer be necessary.

>       Brainard's SecurID hash is not patented. It is only protected by
> RSA's license agreements with its customers, the obligations those
> customers place on their employers, and the degree to which those
> employees honor those committments.

>       No has ever claimed this protection is bulletproof, but it has
> kept the SecurID hash unpublished for 14-15 years.

        I thought that the SecureID algorithm had become known (Ok...
That's not the same thing as "being published").  Was my understanding,
from the same source that I got my SecureID app for my palm pilot, that
the same process that had led to that application being available on the
Palm Pilot had resulted in the algorithm being known.

        That being said, I don't have a copy of the algorithm, and it was
not claimed that it was "published" by the SecureID people.  But I do have
the SecureID calculator on my palm pilot.  It's there in 68K binary, so it
could be reverse engineered.  I have not installed the "SecureID key
file" (the Network Administrator here is throughly PISSED that I, of all
people, have the ability to use SecureID without one of his precious
dongles and has not given me a key file, yet.) so it's just running in
"demo" mode.  (Besides, I've got a lot more systems where I use S/Key
than SecureID, and now I've got S/Key integrated into the new version
of Strip on the Palm Pilot - I really don't need SecureID.)

        BTW...  We have had abysmal luck with the SecureID keyfobs.  I've
never even used mine and I looked at it one day and the LCD was gibberish.
I asked said Admin if I needed to stroke the tomaguci more often to keep
it happy.  He failed to see the humor.  That's WHY I want the key file to
activate my SecureID calculator on my Palm Pilot.  That's also WHY he's
so pissy about it.  He hates to feel like he had to give in because the
damn things are unreliable.  Another individual has gone through a
half a dozen in the last year.  I'm not impressed...  But they keep
buying more of them.

>       Suerte,
>               _Vin


> On Thu, 7 Dec 2000, Ryan Russell wrote:

> > >          Tommy Ward <tommy () securify com> wrote:
> > >
> > > > As far as (RSA's SecurID] algorithm, it is patented, and it is implemented
> > > > in several software products, including the ACE/Server and the software
> > > > version of the token.  That means it is not really very secret....
> > >
> > >          As others have noted, the 14 year-old SecurID hash is an RSA trade
> > > secret. It remains unpublished today largely due to commitments RSA (then
> > > Security Dynamics) made to early customers, when such commitments were
> > > demanded by many customers, particularly in banking and financial services.
> >
> > Based on my limited understaning of the patent application process in the
> > US, an item can't both be patented, and remain unpublished.  Which bit of
> > info is incorrect?
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards