Firewall Wizards mailing list archives
Re: Username password VS hardware token plus PIN
From: David Lang <david.lang () digitalinsight com>
Date: Wed, 23 Feb 2005 23:03:31 -0800 (PST)
On Tue, 22 Feb 2005, Kevin wrote:
Date: Tue, 22 Feb 2005 12:24:02 -0600 From: Kevin <kkadow () gmail com> To: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Username password VS hardware token plus PIN On Tue, 22 Feb 2005 12:15:40 -0500, Mark Gumennik <mgumennik () mitre org> wrote:Mike, I think the best you can get is SecureID/ACE (used to be AXENT, now RSA?) (Also quite expensive :-)SecurID is unrelated to AXENT's product, totally different set of patents. For some info on SecurID, please visit my totally unofficial SecurID User's forum: http://groups.yahoo.com/group/securid-users/ I converted from the old X9.9/Axent challenge-response tokens after the algorithm was shown to have major cryptographic weaknesses and withdrawn by ANSI. The old school Axent tokens are no longer viable for strong authentication; the newer response-only tokens from Cryptocard and Secure Computing do not have the X9.9 flaws in their standard algorithm, but can be programmed to use the flawed mode.
IIRC the vunerability of the ols SNK004 format tokens was that if you received enough challange/response pairs (potentially as few as two) you could brute-force the DES encryption key and duplicate the token.
while this is definantly a problem I would argue that if you are useing the token for authentication over an otherwise encrypted link this may very well be "good enough"
at this point you've limited your exposure to people with keystroke loggers on the client machine, who are logging long enough to get the multiple samples they need, and who care enough about you being a target to spend the effort to brute-force they key (which is a doable effort, but still requires a significant amount of resources)
it may not be ideal, but it stands a good chance to make it so that there are easier ways to get into the system (probably via application vunerabilities). and they have the advantage that the server-side doesn't require expensive licenses to implement ( do a google search for snk.c and you can find freely available source to implement, at one point it was in a package called dip-3.3.7, among others)
David Lang -- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Username password VS hardware token plus PIN, (continued)
- Re: Username password VS hardware token plus PIN Paul D. Robertson (Feb 24)
- RE: Username password VS hardware token plus PIN Ben Nagy (Feb 22)
- RE: Username password VS hardware token plus PIN Mark Gumennik (Feb 22)
- AES SecurID Re: Username password VS hardware token plus PIN ArkanoiD (Feb 22)
- Re: Username password VS hardware token plus PIN Paul D. Robertson (Feb 22)
- Re: Username password VS hardware token plus PIN Patrick M. Hausen (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
- Re: Username password VS hardware token plus PIN Kevin (Feb 22)
- Re: Username password VS hardware token plus PIN David Lang (Feb 24)
- Re: Username password VS hardware token plus PIN Kevin (Feb 22)
- RE: Username password VS hardware token plus PIN Crissup, John (MBNP is) (Feb 22)
- FW: Username password VS hardware token plus PIN Paul Melson (Feb 22)
- RE: Username password VS hardware token plus PIN Behm, Jeffrey L. (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
- Re: Username password VS hardware token plus PIN Kevin (Feb 23)
- Message not available
- RE: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 23)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 24)