Re: Token based OTP: SafeWord or SecurID?

[kadokev () msg net]

Vin McLellan wrote:
> 1.  I, for one, would be very interested in the logic by which you 
> determined that CryptoCard and Axent's Defender/WebDefender were not viable 
> choices for you or your client.

It wasn't entirely my choice- the client has certain expectations for
Solaris support, token form factor, and price, and is using Secure Computing's
SideWinder firewall, which recommends using their SafeWord, or RSA's securID
tokens.

I just recently noticed that unlike SecurID, SafeWord has no provision to
use a PIN in combination with their key fob 'Safeword Silver 2000' token,
so they are out of the running.

Cryptocard states that you can set their key fob 'KT-1' token' to require
the PIN entered in the token- but does not explain how this is accomplished
with only one button.


> 2. I remember reading your Bugtraq post last year about how a flawed random 
> number generator in Gauntlet/FWTK made the RNG's Challenge -- and thus the 
> encrypted responses from individual Challenge/Response tokens -- predictable.
>
> Can you give us an update on what happened in the aftermath of your post?

I posted because I had no real response from TIS, then when NAI bought them,
my bug report fell through the cracks entirely.
 
Shortly after (because of?) the BugTraq post, Gauntlet released a patch cluster
including fixes for the challenge problem.  I submitted a patch to the FWTK.org
site, though it doesn't seem to be published there. I'll try again when I have
some additional patches to contribute.

The Gauntlet bug experience, and later my similar experiences with McGraw-Hill
and S&P Comstock, have pushed me to the 'Full Disclosure' point of view. I
did an interview with Lew Kock of ZDNet, should come out in a couple weeks.


> 3. Did you form any opinions about Michal Zalewski's suggestions on BugTraq 
> last month that ActivCard's encrypted "Responses" were 
> predictable?  (Search for the subject "swc / ActivCard" in the August 
> Bugtraq archive: <http://www.securityfocus.com/>)
>
> (I've been a consultant to SDTI and RSA for many years, and I've never 
> liked so-called "synchronous" Challenge/Response tokens, but I found myself 
> defending ActivCard against Mr. Zalewski's allegations when Zalewski 
> wouldn't demonstrate or even document the predictive talent he had claimed.)

Another reason to support full disclosure- ActivCard has had time to respond,
now Mr. Zalewski should post his code.

With the Gauntlet bug, I at least had some 'proof of concept' code that showed
how to predict the challenge (not very useful) and logic and unfinished,
unpublished code for influencing the challenge (very useful).

 
> 4. Care to offer any more information about the context in which you plan 
> to use either SecurID or SafeWord?  I might be able to offer some arguments 
> about the relative strengths of RSA's ACE/SecurID, and I'm sure others 
> might do the same for SCC's SafeWord, but context might help.
 
The primary application is in establishing VPN connections, the goal is to
be able to use the same tokens that are deployed to hundreds of end users for
VPN to give dozens of special case users access to protected web sites,
a dozen or so people access to run commands as root via 'sudo', and a handful
of people administrative access to a SideWinder firewall (another Secure
Computing product).

Due to the lack of PINs on the SafeWord key fob, I'm taking another look at
CryptoCard.

Kevin Kadow
MSG.Net, Inc.

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards