Firewall Wizards mailing list archives
Re: Token based OTP: SafeWord or SecurID?
From: "Steven M. Bellovin" <smb () research att com>
Date: Wed, 22 Nov 2000 17:52:17 -0500
In message <4.3.2.7.2.20001121152602.01d06a98@127.0.0.1>, Tommy Ward writes:
As far as the algorithm, it is patented, and it is implemented in several software products, including the ACE/Server and the software version of the token. That means it is not really very secret.... What makes me wonder more about the "secret technology" involved in this case is the deduced limitation on the crypto used. If you think about the hardware based SecurID card having up to a 4 year battery life, and the most basic version displays a new OTP every 60 seconds whether you need it or not, there can't be a very large number of clock cycles involved in computing the OTP. By comparison, we used to see about a 2 year battery life on the old SNK token, which used an 8-bit processor to perform a single DES computation to generate its OTP, and only did so when you need a new OTP to authenticate with. I would guess that a brute force analysis should be able to compromise any given SecurID account in a short period of time. If you had only a few samples of plain text (the time of day) and cypher text (the OTP), this should be a computationally easy task. If you can pry it out of him, Mudge did enough work on this in about 1995 to prepare a paper on the subject, but he got "persuaded" not to release it.
First of all, I don't think the algorithm is patented. Rather, it's a trade secret. The crypto is home-grown because they didn't have the cycles to do DES. And you're not going to brute-force the algorithm. Apart from the key being too long, it doesn't show all of the output. Yes, I've seen the algorithm, under NDA. --Steve Bellovin _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Token based OTP: SafeWord or SecurID? Stephen Legge (Nov 17)
- <Possible follow-ups>
- Re: Token based OTP: SafeWord or SecurID? ark (Nov 18)
- Re: Token based OTP: SafeWord or SecurID? Tommy Ward (Nov 23)
- Re: Token based OTP: SafeWord or SecurID? Steven M. Bellovin (Nov 24)
- RE: Token based OTP: SafeWord or SecurID? Ben Nagy (Nov 24)
- RE: Token based OTP: SafeWord or SecurID? John Adams (Nov 26)
- RE: Token based OTP: SafeWord or SecurID? Ben Nagy (Nov 28)