Re: [fw-wiz] Username password VS hardware token plus PIN
From: David Lang (david.lang_at_digitalinsight.com)
Date: 02/24/05
- Previous message: David Lang: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- In reply to: Kevin: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Next in thread: Mark Gumennik: "RE: [fw-wiz] Username password VS hardware token plus PIN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Kevin <kkadow@gmail.com> Date: Wed, 23 Feb 2005 23:03:31 -0800 (PST)
On Tue, 22 Feb 2005, Kevin wrote:
> Date: Tue, 22 Feb 2005 12:24:02 -0600
> From: Kevin <kkadow@gmail.com>
> To: firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] Username password VS hardware token plus PIN
>
> On Tue, 22 Feb 2005 12:15:40 -0500, Mark Gumennik <mgumennik@mitre.org> wrote:
>> Mike,
>> I think the best you can get is SecureID/ACE (used to be AXENT, now RSA?)
>> (Also quite expensive :-)
>
> SecurID is unrelated to AXENT's product, totally different set of patents. For
> some info on SecurID, please visit my totally unofficial SecurID User's forum:
> http://groups.yahoo.com/group/securid-users/
>
> I converted from the old X9.9/Axent challenge-response tokens after the
> algorithm was shown to have major cryptographic weaknesses and
> withdrawn by ANSI. The old school Axent tokens are no longer viable
> for strong authentication; the newer response-only tokens from
> Cryptocard and Secure Computing do not have the X9.9 flaws in their
> standard algorithm, but can be programmed to use the flawed mode.
IIRC the vunerability of the ols SNK004 format tokens was that if you
received enough challange/response pairs (potentially as few as two) you
could brute-force the DES encryption key and duplicate the token.
while this is definantly a problem I would argue that if you are useing
the token for authentication over an otherwise encrypted link this may
very well be "good enough"
at this point you've limited your exposure to people with keystroke
loggers on the client machine, who are logging long enough to get the
multiple samples they need, and who care enough about you being a target
to spend the effort to brute-force they key (which is a doable effort, but
still requires a significant amount of resources)
it may not be ideal, but it stands a good chance to make it so that there
are easier ways to get into the system (probably via application
vunerabilities). and they have the advantage that the server-side doesn't
require expensive licenses to implement ( do a google search for snk.c and
you can find freely available source to implement, at one point it was in
a package called dip-3.3.7, among others)
David Lang
-- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: David Lang: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- In reply to: Kevin: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Next in thread: Mark Gumennik: "RE: [fw-wiz] Username password VS hardware token plus PIN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
