Re: Token based OTP: SafeWord or SecurID?

[Adam Shostack <adam () homeport org>]

On Wed, Dec 13, 2000 at 01:25:36AM +0000, David Wagner wrote:
| Michael H. Warfield wrote:
| >     I thought that the SecureID algorithm had become known
| 
| I believe the algorithm has been known to some subset of "hackers" for
| some time.  However, I don't know of too many "good guys" who have had
| a chance to look at it (which presumably means that RSA is not able to
| benefit from analysis from the open cryptographic community).
| 
| This suggests that keeping the algorithm secret may not have served its
| intended purpose.  But then, secret design rarely does, when you are
| talking about long-term widely-deployed commercial systems...

Keeping the algorithm secret has been a marketing choice for a long
time.  Their engineers were fully aware of, and supported the idea of
open review.  When I published the protocol, the engineers from SDI
were happy.  They were a little less happy that I broke it, but hey,
it gave them a chance to do a new design.

Incidentally, card hash was published to bugtraq about a week ago.
There are some interesting questions about how good an algorithm it
actually is, and likely some interesting lessons to be learned about
'good enough' crypto.

Adam




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards