RE: SecureID vs Certificates

[Ben Nagy <ben.nagy () marconi com au>]

First, Volker wrote:
> SecurID is not _as_ secure as people commonly believe:
>    http://www.atstake.com/research/reports/initial_securid_analysis.pdf
>
>    http://www.securityfocus.com/archive/1/152525

Depends on what you mean by "commonly". One of those messages _asserts_ that
the algorithm is "easily crackable", to which I say "Put up, or shut up".
The @stake analysis is much more interesting (and I was happy to actually
see the algorithm in the public eye, finally), but didn't seem to advance
the field. Everyone already _knew_ it was a 64-bit lossy hash with a
mostly-guessable time seed thrown in. If they can deliver on their "further
analysis" with a crypto result, I'll _then_ be ready to applaud.

Then, Mike...
> From: Michael H. Warfield [mailto:mhw () wittsend com]

[in response to...]
> > It would seem pretty obvious that SecureID is
> >     a better system [...]
>
>       Really?  "Pretty obvious?"  After the algorithm was published
> on BugTraq and confirmed by another poster (who has RSA 
> connections) and
> then analyzed by Mudge and King Pin to be basically a 64 bit 
> key system
> with only 22 bits of time seed and passes the user PIN over the wire?
> That SecureID?  Doesn't seem so obvious to me.

As I said - we knew this. As you noted (which I've snipped) there's a ~ 2^64
chosen plaintext attack. Guessing the time representation probably adds a
couple of bits worth, but if you collect LOTS of responses you can probably
knock off a couple of notches. So let's settle on 2^64. I think that "Tough,
but not impossible" is optomistic, but reasonable. If that's the easiest way
for someone to compromise your security, though, then you're doing pretty
darn well. Why wouldn't "they" just hold a gun to your head (and tell you
they know your non-duress PIN - would you gamble)?

But we're not debating absolute security - we're talking relative. So, with
certs - English has about 1 bit of entropy per byte. "This is not a long
enough passphrase to have 64 bits of entropy" - is yours (or your users')
longer than that? If not, then a stolen laptop is an easy win. Before people
start - it's a usually lot easier to steal a laptop than a securID token.

If you're assuming a wire-only attack, then I'll happily agree that properly
deployed certs are better - crypto-wise. In terms of a security system,
though, George Capehart made some good comments about the critical nature of
the RA process. If you don't in-source your CA, IMO, then don't even _think_
about using certs as strong auth.

Properly deployed SecurID is pretty crypto-strong as well - if you use CHAP
/ SSL for your auth channels then the first problem is breaking those - that
would put the crypto complexity of both Certs and SecurID out-of-bounds
(Mike pointed this out, as well). 

That leaves us talking about the integrity of the whole system. Certificates
still make me nervous. Soft storage, tape backup of certs, admin-stored
"emergency" copies of private keys, weak passphrases, dodgy RA
processes...call me paranoid, but I would need LOTS of thought before
recommending them for strong auth for high security environments.

With that said, I'm sure the RSA guys have been saying that a new version of
SecurID is coming / here which drops the Brainard hash in favour of an
"open" hash - this will address the crypto concerns (in plenty of time, IMO
- yes, we're approaching the wire where 2^64 isn't complex enough, but we're
not there yet).

Cheers,

--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards