Firewall Wizards mailing list archives
Re: Token based OTP: SafeWord or SecurID?
From: kadokev () msg net
Date: Mon, 18 Sep 2000 11:30:15 -0500 (CDT)
Vin McLellan wrote:
1. I, for one, would be very interested in the logic by which you determined that CryptoCard and Axent's Defender/WebDefender were not viable choices for you or your client.
It wasn't entirely my choice- the client has certain expectations for Solaris support, token form factor, and price, and is using Secure Computing's SideWinder firewall, which recommends using their SafeWord, or RSA's securID tokens. I just recently noticed that unlike SecurID, SafeWord has no provision to use a PIN in combination with their key fob 'Safeword Silver 2000' token, so they are out of the running. Cryptocard states that you can set their key fob 'KT-1' token' to require the PIN entered in the token- but does not explain how this is accomplished with only one button.
2. I remember reading your Bugtraq post last year about how a flawed random number generator in Gauntlet/FWTK made the RNG's Challenge -- and thus the encrypted responses from individual Challenge/Response tokens -- predictable. Can you give us an update on what happened in the aftermath of your post?
I posted because I had no real response from TIS, then when NAI bought them, my bug report fell through the cracks entirely. Shortly after (because of?) the BugTraq post, Gauntlet released a patch cluster including fixes for the challenge problem. I submitted a patch to the FWTK.org site, though it doesn't seem to be published there. I'll try again when I have some additional patches to contribute. The Gauntlet bug experience, and later my similar experiences with McGraw-Hill and S&P Comstock, have pushed me to the 'Full Disclosure' point of view. I did an interview with Lew Kock of ZDNet, should come out in a couple weeks.
3. Did you form any opinions about Michal Zalewski's suggestions on BugTraq last month that ActivCard's encrypted "Responses" were predictable? (Search for the subject "swc / ActivCard" in the August Bugtraq archive: <http://www.securityfocus.com/>) (I've been a consultant to SDTI and RSA for many years, and I've never liked so-called "synchronous" Challenge/Response tokens, but I found myself defending ActivCard against Mr. Zalewski's allegations when Zalewski wouldn't demonstrate or even document the predictive talent he had claimed.)
Another reason to support full disclosure- ActivCard has had time to respond, now Mr. Zalewski should post his code. With the Gauntlet bug, I at least had some 'proof of concept' code that showed how to predict the challenge (not very useful) and logic and unfinished, unpublished code for influencing the challenge (very useful).
4. Care to offer any more information about the context in which you plan to use either SecurID or SafeWord? I might be able to offer some arguments about the relative strengths of RSA's ACE/SecurID, and I'm sure others might do the same for SCC's SafeWord, but context might help.
The primary application is in establishing VPN connections, the goal is to be able to use the same tokens that are deployed to hundreds of end users for VPN to give dozens of special case users access to protected web sites, a dozen or so people access to run commands as root via 'sudo', and a handful of people administrative access to a SideWinder firewall (another Secure Computing product). Due to the lack of PINs on the SafeWord key fob, I'm taking another look at CryptoCard. Kevin Kadow MSG.Net, Inc. _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Token based OTP: SafeWord or SecurID? kadokev (Sep 13)
- Re: Token based OTP: SafeWord or SecurID? Vin McLellan (Sep 16)
- Re: Token based OTP: SafeWord or SecurID? kadokev (Sep 18)
- Re: Token based OTP: SafeWord or SecurID? Carson Gaspar (Sep 19)
- Re: Token based OTP: SafeWord or SecurID? Rick Smith (Sep 20)
- Re: Token based OTP: SafeWord or SecurID? H. Morrow Long (Sep 22)
- Re: Token based OTP: SafeWord or SecurID? daN. (Sep 25)
- Re: Token based OTP: SafeWord or SecurID? Rick Smith (Sep 25)
- Re: Token based OTP: SafeWord or SecurID? kadokev (Sep 18)
- Re: Token based OTP: SafeWord or SecurID? Vin McLellan (Sep 16)
- Re: Token based OTP: SafeWord or SecurID? Joseph S D Yao (Sep 19)
- Re Token based OTP SafeWord or SecurID? offset (Sep 22)
- Message not available
- Re: Re Token based OTP SafeWord or SecurID? Joseph S D Yao (Sep 23)