Firewall Wizards mailing list archives
Re: Token based OTP: SafeWord or SecurID?
From: "Michael H. Warfield" <mhw () wittsend com>
Date: Sat, 9 Dec 2000 18:59:56 -0500
On Fri, Dec 08, 2000 at 06:41:15PM -0500, Vin McLellan wrote:
Hi Ryan,
You are corrrect. If it were patented, it would be public and trade secret protection would no longer be necessary.
Brainard's SecurID hash is not patented. It is only protected by RSA's license agreements with its customers, the obligations those customers place on their employers, and the degree to which those employees honor those committments.
No has ever claimed this protection is bulletproof, but it has kept the SecurID hash unpublished for 14-15 years.
I thought that the SecureID algorithm had become known (Ok... That's not the same thing as "being published"). Was my understanding, from the same source that I got my SecureID app for my palm pilot, that the same process that had led to that application being available on the Palm Pilot had resulted in the algorithm being known. That being said, I don't have a copy of the algorithm, and it was not claimed that it was "published" by the SecureID people. But I do have the SecureID calculator on my palm pilot. It's there in 68K binary, so it could be reverse engineered. I have not installed the "SecureID key file" (the Network Administrator here is throughly PISSED that I, of all people, have the ability to use SecureID without one of his precious dongles and has not given me a key file, yet.) so it's just running in "demo" mode. (Besides, I've got a lot more systems where I use S/Key than SecureID, and now I've got S/Key integrated into the new version of Strip on the Palm Pilot - I really don't need SecureID.) BTW... We have had abysmal luck with the SecureID keyfobs. I've never even used mine and I looked at it one day and the LCD was gibberish. I asked said Admin if I needed to stroke the tomaguci more often to keep it happy. He failed to see the humor. That's WHY I want the key file to activate my SecureID calculator on my Palm Pilot. That's also WHY he's so pissy about it. He hates to feel like he had to give in because the damn things are unreliable. Another individual has gone through a half a dozen in the last year. I'm not impressed... But they keep buying more of them.
Suerte, _Vin
On Thu, 7 Dec 2000, Ryan Russell wrote:
Tommy Ward <tommy () securify com> wrote:As far as (RSA's SecurID] algorithm, it is patented, and it is implemented in several software products, including the ACE/Server and the software version of the token. That means it is not really very secret....As others have noted, the 14 year-old SecurID hash is an RSA trade secret. It remains unpublished today largely due to commitments RSA (then Security Dynamics) made to early customers, when such commitments were demanded by many customers, particularly in banking and financial services.Based on my limited understaning of the patent application process in the US, an item can't both be patented, and remain unpublished. Which bit of info is incorrect?_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Token based OTP: SafeWord or SecurID? Vin McLellan (Dec 08)
- Re: Token based OTP: SafeWord or SecurID? Ryan Russell (Dec 09)
- Re: Token based OTP: SafeWord or SecurID? Vin McLellan (Dec 10)
- Re: Token based OTP: SafeWord or SecurID? Michael H. Warfield (Dec 12)
- Re: Token based OTP: SafeWord or SecurID? Ryan Russell (Dec 12)
- Re: Token based OTP: SafeWord or SecurID? Michael H. Warfield (Dec 12)
- Re: Token based OTP: SafeWord or SecurID? Ryan Russell (Dec 14)
- Re: Token based OTP: SafeWord or SecurID? Vin McLellan (Dec 10)
- Re: Token based OTP: SafeWord or SecurID? David Wagner (Dec 14)
- Re: Token based OTP: SafeWord or SecurID? Ryan Russell (Dec 09)