Firewall Wizards mailing list archives
Re: SecureID vs Certificates
From: "Michael H. Warfield" <mhw () wittsend com>
Date: Mon, 12 Feb 2001 18:25:29 -0500
On Mon, Feb 12, 2001 at 10:18:05AM -0500, Tony Miedaner wrote:
Hi Folks,
Kind of a high level questions on trade offs between SecureID or Certificates. It would seem pretty obvious that SecureID is a better system BUT for many situations it would seem to me
Really? "Pretty obvious?" After the algorithm was published on BugTraq and confirmed by another poster (who has RSA connections) and then analyzed by Mudge and King Pin to be basically a 64 bit key system with only 22 bits of time seed and passes the user PIN over the wire? That SecureID? Doesn't seem so obvious to me.
that certificates would be a reasonable form of two factor authentication. Can anyone provide a good reason why not to use certificates over SecureID?
Is it even reasonable to classify certificates as two factor?
It is understood that if someone can take control your computer they may be able to use the cert.
If they sniff the wire for a few token entries passed in clear and record your PIN, the token, and the time, I would say they have a 64 bit plaintext attack on your token card. Tough, but not impossible. Are you worth cracking that token? Probably not. It would take a hefty chunk of computing iron and some significant time, just for one token. You would have to be a pretty high profile target. Right now... I would definitely use SecureID in combination with something else. Either encryption (like SSL) to prevent passing tokens in clear or with certificates as backup authentication. Computing horse power is NOT getting weaker or more expensive...
Any insight is much appreciated as always:-)
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SecureID vs Certificates, (continued)
- Re: SecureID vs Certificates Crist Clark (Feb 14)
- Re: SecureID vs Certificates Darren Reed (Feb 15)
- Re: SecureID vs Certificates George Capehart (Feb 15)
- Re: SecureID vs Certificates Marcus J. Ranum (Feb 15)
- Re: SecureID vs Certificates Darren Reed (Feb 16)
- Re: SecureID vs Certificates beldridg (Feb 16)
- Re: SecureID vs Certificates Peter Lukas (Feb 16)
- Re: SecureID vs Certificates Crist Clark (Feb 14)
- Re: SecureID vs Certificates George Capehart (Feb 15)
- Re: SecureID vs Certificates Crist Clark (Feb 15)
- RE: SecureID vs Certificates Bill Jaeger (Feb 15)
- Re: SecureID vs Certificates Volker Tanger (Feb 15)
- Re: SecureID vs Certificates Peter Lukas (Feb 15)