Firewall Wizards mailing list archives
Re: secure ID token based authentication
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 28 Jan 2003 09:08:33 +0100
----- Original Message ----- From: "Luca Berra" <bluca () comedia it> [...]> i was thinking about this one
http://www.atstake.com/research/reports/acrobat/initial_securid_analysis.pdf
there is an older paper written by Adam Shostak who is a contributor to this list http://www.homeport.org/~adam/dimacs.html
[...] OK, so now we're talking about ACE/SecurID and not the RADIUS part of the transaction (which, as Andrew Kalat wisely pointed out, can be mitigated by using TACACS+ in some environments). <rant> I hear more poorly considered opinion about cryptographic protocols than anything else. It's really not that hard to read these things with a slightly sceptical mind, think carefully about the implications and form a sensible opinion, but I'm constantly stunned by the number of times I've had to wield the crypto cluestick (or watch as other people, who actually know something about crypto, apply that trusty baton themselves). Putting something in a whitepaper doesn't make it true, and suggesting that something "may be attackable" doesn't make it dead. Luca - this is not directed at you, since you've just quoted a lot of existing work, but seeing some of the opinions expressed in some of those threads gets me all riled again. </rant> I've previously offered my opinion on both the Mudge paper and Shostack's work. The first, IMO, isn't (and doesn't claim to be) any kind of break. It doesn't even suggest an attack - all that was to be saved "for the next paper" which never arrived. The Shostack paper, as one would expect, is clueful. Sadly, it was mainly based on an old version of the ACE protocol, so the nastiest looking UDP injection attack doesn't work. Adam also keeps Brainard's response on his site here: http://www.homeport.org/~adam/brainard.html (John Brainard, among other achievements, wrote the internal hash for the SecurID tokens. He's very smart.)
we even have something in the archives of our favorite list
http://honor.trusecure.com/pipermail/firewall-wizards/2000-December/009833.h tml [...]
From the same thread, anyone that cares enough to keep following this issue
should absolutely read this: http://honor.trusecure.com/pipermail/firewall-wizards/2000-December/009739. Vin knows his stuff. It's a long message, but it covers all the ground, and I still read it from time to time when I'm talking about ACE/SecurID (and not just because I get quoted a few times ;).
-- Luca Berra -- bluca () comedia it
In short, the ACE/SecurID protocol is showing its age. Fair enough. However there still isn't any work I know of that credibly puts forth an attack that's worth worrying about for most people. As always, I'm ready to change my opinion in the light of _new_ evidence, but rehashing old arguments based on old work isn't going to do it. ;) Quoting Vin: "As with any security technology, the design goal of a SecurID token was not to make an attack upon it impossible, just impractical (and more difficult and more costly than alternative attack options." Which is the point, really. Cheers, Ben "I am not a cryptographer" Nagy _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- secure ID token based authentication Prashant Desai (Jan 25)
- Re: secure ID token based authentication Paul D. Robertson (Jan 25)
- Re: secure ID token based authentication Paul D. Robertson (Jan 25)
- Re: secure ID token based authentication John Keeton (Jan 26)
- Re: secure ID token based authentication ark (Jan 27)
- Re: secure ID token based authentication Mike Scher (Jan 27)
- Re: secure ID token based authentication Luca Berra (Jan 26)
- Message not available
- Re: secure ID token based authentication Luca Berra (Jan 27)
- Re: secure ID token based authentication Ben Nagy (Jan 28)
- Re: secure ID token based authentication ark (Jan 29)
- Message not available
- Re: secure ID token based authentication Paul D. Robertson (Jan 25)
- Re: secure ID token based authentication Ben Nagy (Jan 27)
- <Possible follow-ups>
- Re: secure ID token based authentication Miha Vitorovic (Jan 27)
- RE: secure ID token based authentication Kalat, Andrew (ISS Atlanta) (Jan 27)
- RE: secure ID token based authentication Prashant Desai (Jan 28)
- RE: secure ID token based authentication Reckhard, Tobias (Jan 28)