Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: One Time Password

From: "Nick Owen" <nowen () wikidsystems com>
Date: Mon, 8 Sep 2003 15:09:59 -0400
Jensen:

Here is a pretty good list/overview.
http://www.boran.com/security/IT1x-7.html#Heading111.  It's dated though,
and doesn't include us. ;)

I recently drafted a document - for marketing purposes so take it as you see
fit - discussing how to evaluate OTP systems, in particular, ours.  It is
now available here: http://www.wikidsystems.com/WiKIDReviewersGuidev1.pdf
Even if we're not a good fit, it should give you some insight.

One thing you may want to be aware of depending on your required level of
security is what's called a 'race attack' against fixed length passcodes
http://www.tux.org/pub/security/secnet/papers/secureid.pdf), which puts the
relative security of one-time passcodes into perspective.  Essentially, an
attacker puts a keylogger on the user's PC.  They sniff and replay the first
11 digits, assuming a 6 digit PIN and a 6 digit OTP.  They then guess the
12th digit.  If it's a numeric OTP with a 3 guess max, they have a 3/10
chance of getting in.  We haven't added variable length passcodes yet, but
it's in the hopper.

Nick


-----Original Message-----
From: Jensen [mailto:jensen () estadao com br]
Sent: Thursday, September 04, 2003 7:08 PM
To: security-basics () securityfocus com
Subject: One Time Password



Hi

What "One Time Password" (Ex: SecurID) solutions are avaiable in
the market
today ? Which are the advantages/disadvantages of them ?

Thanks


------------------------------------------------------------------
---------
Attend Black Hat Briefings & Training Federal, September 29-30
(Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends
September 6.Visit us: www.blackhat.com
------------------------------------------------------------------
----------







---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: