Full Disclosure mailing list archives
Re: Clear text password exposure in Datakey's tokens and smartcards
From: Steve Kudlak <chromazine () sbcglobal net>
Date: Tue, 10 Aug 2004 11:34:50 -0700
Well here is a cute little article about someone has hacked RFID tags forfun. So it is good that the local library never went down that path. It would
cause great embarrament if books had their titles hacked to be "The SensousLibrarian --- by L" or little notes like : "Mutter can the cute librarian at works
on such and such a schedule come out an play..." or something racey. Perhaps I have been talking to junior high kids and teachers too much. Here's the link: http://www.engadget.com/entry/6563571713524446 Have Fun, Sends Steve grant pew wrote:
Steve Just a bit more info the RSA pin cards. I deal with these quite often.The guy "cjs" is slightly mistaken. The pin cards are really 2-factor authentication. The card itself uses an algorithm within the card that the RSA server understands, or can decode. The other factor is the pin that the client (human) remembers. So if the pin card gets stolen it can't be reused. Sort of like an ATM card, but more sophisticated. In reality the whole thing is a big pain in the ass to setup and implement. I think RSA has come up with somewhat better schemes I just hope they don't come my way too soon. The pin method is a big pain in the ass to setup, and given the new security stuff, I don't even want to look at anything new.Steve Kudlak wrote:I am going to start singing that old song from some movie made before my time of "Nice Work if you can get it, and you can get it if you try..." off course I think the crooner was crooning about romance, easier to convince some human that it is worth some bucks to get rather than random numbers which are everywhere if you look, eh?, yeah, right?;) <====said with a sneer (giggle;) More seriously I was looking to RFID systems vis a vis the privacy orries of such and such systems and I wondered what would a store,ora library want with something that with effort could tell you everywhereit has been. Now I admit when I have misplaced two books I really somedays want a "magic wand" to find them. The other problem is I have seen my local library try to handle its security concerns and somethings seem reasonable to me, many seem being a bit overcautious after being burnt. I know the legends involved, when I mention I am trying to solve some problem I am told I just need an 11 year old to do it for me, as if they are pixies with magic power.Getting your staff which is dedicated in the case of the library, but which is dedicated but which several techoquestioning? (giggle trying to be polite) people on it, but which is sensitive to privacy concerns. Versus the people at the Long's Drug Chain (Medium Sized US Drug Chain) where there is a big taa-doo at the register to check everything out whenever I bring in an itemthat I was overcharged $3.00 for. I look at some of the more elaboratesecurity systems that merchants have been sold as being good and I am ready at least emotionally to join the "number of the beast" worry-worts. I hope the Long's main office when presented with a new security plan looks at itand laugh's and says it is too expensive.But I am sure that someone has told some ubermanager far away from Watsonville California that "Your Shrinkage Problems will dissappear if you install our $5MEgabuck system....which if you look at it per item, it is not that expensive...." Of course the guy selling it is far distant again from the techies who produced to earn their daily bread to pay for living in the $1000US/mo apartment. The salescreature thinks the idea of selling random numbers at $25.00 for a couple hundred is a good thing. I mean they say: "Those are magic numbers they are produced by complicatedsoftware written by people who are so bright....." You get my drift. Have Fun, Sends SteveP.S. The "they lock when you take them beyond the parking lot " shopping carts have become great playtoys for kids in the neighborhood who like to overpower them andhear them beep as they drag it along like a relcalitrant puppy. Curt Sampson wrote:On Fri, 6 Aug 2004, Dana Hudes wrote:On Fri, 6 Aug 2004 Bart.Lansing () kohls com wrote:RSA has been doing PIN cards for ages...I don't get the hangup on SmartCards vs "plain old" something you have/something you know two factoras I understand it a "PIN Card" is a card with an EEPROM on it that contains a PIN. Possibly encrypted but its the same effect as any other file. The host decides if the PIN matches.The RSA SecurID system is a hardware token that generates a new number every minute using a sequence generator and a seed that is effectively a shared secret between the hardware token and the authentication server. You take the current minute's number and, usually, some other authentication information (such as a PIN or password) and pass both of those back to the authentication server, which will then determine whether the authentication is valid. It's a bit expensive, but it works ok. RSA also sells "software tokens" which are the same thing, but as software that runs on a PC or handheld. This is particularly expensive for what you get, since the token is easily copied from the device, with no indication that it's been stolen. (At least with the hardware tokens you know when it's been stolen.) And it's also quite expensive: they charge $25-$80 for a "1 year" software token. I wish I had the gall to sell large quantities of 128 bit random numbers for $25 each. cjs
Current thread:
- Re: Clear text password exposure in Datakey's tokens and smartcards, (continued)
- Re: Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Kevin Sheldrake (Aug 05)
- Re: Clear text password exposure in Datakey's tokens and smartcards Seth Breidbart (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Israel Torres (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Lyal Collins (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Bart . Lansing (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Dana Hudes (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Curt Sampson (Aug 08)
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 09)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Re: Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lee Dilkie (Aug 05)