Re: [fw-wiz] Username password VS hardware token plus PIN

From: David Lang (david.lang_at_digitalinsight.com)
Date: 02/24/05

  • Next message: David Lang: "Re: [fw-wiz] Username password VS hardware token plus PIN" 
    To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Wed, 23 Feb 2005 22:23:21 -0800 (PST)

    here's a box that's essentially a palm clone for about $40 each in single
    unit quantities. not fancy, no color, etc but a well known platform with
    lots of good development tools (assuming it's not able to run
    off-the-shelf palm software)

    http://www.zexus.com.hk/products/products_all_PDA.htm

    David Lang

    On Tue, 22 Feb 2005, Marcus J. Ranum wrote:

    > Date: Tue, 22 Feb 2005 12:56:36 -0500
    > From: Marcus J. Ranum <mjr@ranum.com>
    > To: Frank Knobbe <frank@knobbe.us>
    > Cc: MHawkins@TULLIB.COM, firewall-wizards@honor.icsalabs.com
    > Subject: Re: [fw-wiz] Username password VS hardware token plus PIN
    >
    > Frank Knobbe wrote:
    >> That's why I was never happy with SecureID tokens since the PIN is
    >> transmitted during logon and thus subject to interception by an
    >> attacker. I preferred tokens that require the PIN to unlock the token,
    >> but never transmit the PIN.
    >
    > This topic comes up SO MANY TIMES it's not even funny. I bet
    > if we looked through fw-wiz archives we could declare this to
    > be "Standard Ranum Rant #2978378" and instead of posting
    > this I could just say:
    >
    > #include <sys/rant/ranum/2978378.h>
    >
    > :) But anyhow....
    >
    > What amazes me is that organizations seem to think that having
    > authentication tokens is a) expensive and b) hard. If you look on
    > the websites for obsolete hardware clearing houses you can
    > find vintage PDAs for next to nothing and I'm sure you can get them
    > in quantities. A lot of these PDAs are programmable with SDKs.
    > For example, a cursory query of BizRate shows that you can get
    > HP h2210 PDAs (they run windows mobile 2003!) for $51.
    > It has a clock in it; it's a scheduler for crying out loud. Of course
    > Security Dynamics has patents on time-syching tokens so that's
    > not an option but you could cook up a number of cool variants
    > of the old Atalla authentication used in the Digital Pathways
    > SecureNetKey (there's compatible source in C for an implementation
    > in the firewall toolkit code. I know because I put it there)
    > Bizrate says you can get an Oregon Scientific PDA293 for $9.99.
    > Did you read that? $9.99. And you get free calendaring thrown
    > in and it probably can play games, which is more than your
    > Security Dynamics card will ever do! Franklin RF8120s are $12.
    > Some of these things have voice recorders and all kinds of
    > fun stuff. If a company invested a tiny fraction of the cost of
    > fielding something like a Security Dynamics solution in
    > integrating some software they could probably have an
    > enterprise-wide authentication AND scheduling solution. Some
    > of these puppies have IRDa ports and you could integrate
    > them with building locks for the cost of a low-end PC and
    > some software hooked to a $100 electronic lock striker
    > unit. "Point your token at the door and enter your PIN to open"
    > how cool is that? Or retrofit the sync cradle and use it as
    > a door control. Or use it to PGP-sign your documents.
    > Some of these things have built-in calorie counters! What's
    > not to like!? ;) "This document was PGP-signed by
    > Marcus Ranum, at 11:99 at XYZ GPS coordinates and
    > he had probably eaten too much when he wrote this."
    >
    > mjr.
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > 

    -- 
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
  -- C.A.R. Hoare
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: David Lang: "Re: [fw-wiz] Username password VS hardware token plus PIN"

    Relevant Pages

    • Re: RSA SecureID on Solaris
      ... Your tokens are provided with a floppy disk which contains an encrypted ... In fact it depends of the agent and the type of the token. ... SecurID PINPAD and Software SecurID where Pincode is given to ... some of them use securID authentication to ...
      (Focus-SUN)
    • Re: WSE 2.0 Custom Authentication
      ... you may want to look at the Security Context Token (SCT) that is ... ;)) that relates to WS-SecureConversation. ... Symmetric Key Tokens are used ... > My user authentication method is as follows: ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: electronic-ID and key-generation
      ... basically electronic-ID is authentication. ... chips supposedly are used in tokens to allow verification of the token ... for instance, x9.84 standard for biometrics ...
      (sci.crypt)
    • Re: Architecture Advice
      ... Kerberos only works if your client application and your service are in the ... WS-Federation with SAML has the following benefits over Kerberos: ... Could you point out the benefits of sts over Kerberos authentication in ... the architecture for an application that uses SAML tokens ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • [Full-disclosure] Re: RSA SecurID SID800 Token vulnerable by design
      ... 2-factor authentication is not a way to protect against malware. ... login once and the browser will take care of rest. ... of the whole process) marked that OTP as used. ... I think these tokens offer excellent means for authentication. ...
      (Full-Disclosure)