Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Username password VS hardware token plus PIN

From: David Lang <david.lang () digitalinsight com>
Date: Wed, 23 Feb 2005 23:03:31 -0800 (PST)
On Tue, 22 Feb 2005, Kevin wrote:


Date: Tue, 22 Feb 2005 12:24:02 -0600
From: Kevin <kkadow () gmail com>
To: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Username password VS hardware token plus PIN

On Tue, 22 Feb 2005 12:15:40 -0500, Mark Gumennik <mgumennik () mitre org> wrote:

Mike,
I think the best you can get is SecureID/ACE (used to be AXENT, now RSA?)
(Also quite expensive :-)


SecurID is unrelated to AXENT's product, totally different set of patents. For
some info on SecurID, please visit my totally unofficial SecurID User's forum:
http://groups.yahoo.com/group/securid-users/

I converted from the old X9.9/Axent challenge-response tokens after the
algorithm was shown to have major cryptographic weaknesses and
withdrawn by ANSI.  The old school Axent tokens are no longer viable
for strong authentication;  the newer response-only tokens from
Cryptocard and Secure Computing do not have the X9.9 flaws in their
standard algorithm, but can be programmed to use the flawed mode.
IIRC the vunerability of the ols SNK004 format tokens was that if you received enough challange/response pairs (potentially as few as two) you could brute-force the DES encryption key and duplicate the token.
while this is definantly a problem I would argue that if you are useing the token for authentication over an otherwise encrypted link this may very well be "good enough"
at this point you've limited your exposure to people with keystroke loggers on the client machine, who are logging long enough to get the multiple samples they need, and who care enough about you being a target to spend the effort to brute-force they key (which is a doable effort, but still requires a significant amount of resources)
it may not be ideal, but it stands a good chance to make it so that there are easier ways to get into the system (probably via application vunerabilities). and they have the advantage that the server-side doesn't require expensive licenses to implement ( do a google search for snk.c and you can find freely available source to implement, at one point it was in a package called dip-3.3.7, among others) 

David Lang

--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no 
deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
 -- C.A.R. Hoare
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: