Firewall Wizards mailing list archives

Re: SecureID vs Certificates

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Mon, 12 Feb 2001 18:25:29 -0500

On Mon, Feb 12, 2001 at 10:18:05AM -0500, Tony Miedaner wrote:

Hi Folks,

Kind of a high level questions on trade offs between SecureID or
      Certificates.  It would seem pretty obvious that SecureID is
      a better system BUT for many situations it would seem to me


        Really?  "Pretty obvious?"  After the algorithm was published
on BugTraq and confirmed by another poster (who has RSA connections) and
then analyzed by Mudge and King Pin to be basically a 64 bit key system
with only 22 bits of time seed and passes the user PIN over the wire?
That SecureID?  Doesn't seem so obvious to me.

      that certificates would be a reasonable form of two factor
      authentication.  Can anyone provide a good reason why not to
      use certificates over SecureID?

Is it even reasonable to classify certificates as two factor?

It is understood that if someone can take control your computer they
      may be able to use the cert.


        If they sniff the wire for a few token entries passed in clear
and record your PIN, the token, and the time, I would say they have a
64 bit plaintext attack on your token card.  Tough, but not impossible.
Are you worth cracking that token?  Probably not.  It would take a hefty
chunk of computing iron and some significant time, just for one token.
You would have to be a pretty high profile target.  Right now...

        I would definitely use SecureID in combination with something else.
Either encryption (like SSL) to prevent passing tokens in clear or with
certificates as backup authentication.  Computing horse power is NOT
getting weaker or more expensive...

Any insight is much appreciated as always:-)


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: SecureID vs Certificates, (continued)
- - Re: SecureID vs Certificates Crist Clark (Feb 14)
    - Re: SecureID vs Certificates Darren Reed (Feb 15)
    - Re: SecureID vs Certificates George Capehart (Feb 15)
    - Re: SecureID vs Certificates Marcus J. Ranum (Feb 15)
    - Re: SecureID vs Certificates Darren Reed (Feb 16)
    - Re: SecureID vs Certificates beldridg (Feb 16)
    - Re: SecureID vs Certificates Peter Lukas (Feb 16)
    - Re: SecureID vs Certificates George Capehart (Feb 15)
    - Re: SecureID vs Certificates Crist Clark (Feb 15)
- Re: SecureID vs Certificates Darren Reed (Feb 13)
- Re: SecureID vs Certificates Michael H. Warfield (Feb 13)
- Re: SecureID vs Certificates Volker Tanger (Feb 13)
  - RE: SecureID vs Certificates Bill Jaeger (Feb 15)
    - Re: SecureID vs Certificates Volker Tanger (Feb 15)
- Re: SecureID vs Certificates Marcus J. Ranum (Feb 14)
  - Re: SecureID vs Certificates Peter Lukas (Feb 15)
- Re: SecureID vs Certificates Jeffery . Gieser (Feb 13)
- Re: SecureID vs Certificates Gregory Hicks (Feb 13)
- RE: SecureID vs Certificates Ben Nagy (Feb 15)
- RE: SecureID vs Certificates Frank Knobbe (Feb 15)
- RE: SecureID vs Certificates Wigg, Guy G (Feb 15)

(Thread continues...)