Re: Token based OTP: SafeWord or SecurID?

[Vin McLellan <vin () shore net>]

Hi Kevin:

1.  I, for one, would be very interested in the logic by which you 
determined that CryptoCard and Axent's Defender/WebDefender were not viable 
choices for you or your client.

2. I remember reading your Bugtraq post last year about how a flawed random 
number generator in Gauntlet/FWTK made the RNG's Challenge -- and thus the 
encrypted responses from individual Challenge/Response tokens -- predictable.

Can you give us an update on what happened in the aftermath of your post?

3. Did you form any opinions about Michal Zalewski's suggestions on BugTraq 
last month that ActivCard's encrypted "Responses" were 
predictable?  (Search for the subject "swc / ActivCard" in the August 
Bugtraq archive: <http://www.securityfocus.com/>)

(I've been a consultant to SDTI and RSA for many years, and I've never 
liked so-called "synchronous" Challenge/Response tokens, but I found myself 
defending ActivCard against Mr. Zalewski's allegations when Zalewski 
wouldn't demonstrate or even document the predictive talent he had claimed.)

4. Care to offer any more information about the context in which you plan 
to use either SecurID or SafeWord?  I might be able to offer some arguments 
about the relative strengths of RSA's ACE/SecurID, and I'm sure others 
might do the same for SCC's SafeWord, but context might help.

        Regards,
                _Vin

Vin McLellan
The Privacy Guild
Chelsea, MA USA


----- in response to ---------------------------------------

        Kevin Kadow <kadokev () msg net> wrote:

> I'm currently evaluating options for commercial one-time-password systems, 
> previously I had been using SNK-004 under FWTK, with the fixes for the 
> problems I found last year (see 
> BugTraq).  [<http://www.dataguard.no/bugtraq/1999_2/0176.html>]

> FYI, SNK-004 is fundamentally identical to the challenge-response 
> hardware/software tokens from Axent.
>
> The client is looking for something commercially supported, with simple 
> hardware tokens, compatible with modern Solaris and SSH1. The choice is 
> down to SafeWord or SecurID.
>
> Since cost is a factor, SafeWord has an edge there. Also, Safeword 
> supports the SNK-004 system (Listed as 'SecureNet' under authenticators), 
> which is a plus for converting existing users.
>
> Looking at the Solaris installation scripts and the SDK/API software each 
> company includes, neither of them is very attractive at the moment. I may 
> end up going with SecurID primarily because it has been around longer and 
> has more support in third-party applications (Sudo, FWTK, etc).
>
> Can anybody suggest compelling reasons to choose one over the other, or 
> another vendor I may have missed (CryptoCard and Axent are out of the running)?
>
>
> Thanks,
>
> Kevin Kadow MSG.Net, Inc.


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards