Security Basics mailing list archives
RE: One Time Password
From: "Nick Owen" <nowen () wikidsystems com>
Date: Mon, 8 Sep 2003 15:09:59 -0400
Jensen: Here is a pretty good list/overview. http://www.boran.com/security/IT1x-7.html#Heading111. It's dated though, and doesn't include us. ;) I recently drafted a document - for marketing purposes so take it as you see fit - discussing how to evaluate OTP systems, in particular, ours. It is now available here: http://www.wikidsystems.com/WiKIDReviewersGuidev1.pdf Even if we're not a good fit, it should give you some insight. One thing you may want to be aware of depending on your required level of security is what's called a 'race attack' against fixed length passcodes http://www.tux.org/pub/security/secnet/papers/secureid.pdf), which puts the relative security of one-time passcodes into perspective. Essentially, an attacker puts a keylogger on the user's PC. They sniff and replay the first 11 digits, assuming a 6 digit PIN and a 6 digit OTP. They then guess the 12th digit. If it's a numeric OTP with a 3 guess max, they have a 3/10 chance of getting in. We haven't added variable length passcodes yet, but it's in the hopper. Nick
-----Original Message----- From: Jensen [mailto:jensen () estadao com br] Sent: Thursday, September 04, 2003 7:08 PM To: security-basics () securityfocus com Subject: One Time Password Hi What "One Time Password" (Ex: SecurID) solutions are avaiable in the market today ? Which are the advantages/disadvantages of them ? Thanks ------------------------------------------------------------------ --------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ------------------------------------------------------------------ ----------
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- One Time Password Jensen (Sep 05)
- Re: One Time Password Birl (Sep 08)
- RE: One Time Password Nick Owen (Sep 08)
- <Possible follow-ups>
- RE: One Time Password Tim Ballingall (Sep 08)
- Re: One Time Password Yonezawa Kazuki (Sep 08)