Firewall Wizards mailing list archives
Re: Token based OTP: SafeWord or SecurID?
From: Adam Shostack <adam () homeport org>
Date: Sat, 30 Dec 2000 12:06:13 -0500
On Wed, Dec 13, 2000 at 01:25:36AM +0000, David Wagner wrote: | Michael H. Warfield wrote: | > I thought that the SecureID algorithm had become known | | I believe the algorithm has been known to some subset of "hackers" for | some time. However, I don't know of too many "good guys" who have had | a chance to look at it (which presumably means that RSA is not able to | benefit from analysis from the open cryptographic community). | | This suggests that keeping the algorithm secret may not have served its | intended purpose. But then, secret design rarely does, when you are | talking about long-term widely-deployed commercial systems... Keeping the algorithm secret has been a marketing choice for a long time. Their engineers were fully aware of, and supported the idea of open review. When I published the protocol, the engineers from SDI were happy. They were a little less happy that I broke it, but hey, it gave them a chance to do a new design. Incidentally, card hash was published to bugtraq about a week ago. There are some interesting questions about how good an algorithm it actually is, and likely some interesting lessons to be learned about 'good enough' crypto. Adam _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Token based OTP: SafeWord or SecurID? Adam Shostack (Jan 02)