Re: about SecuriID on mobile devices
- From: Nick Owen <owen.nick@xxxxxxxxx>
- Date: Tue, 7 Apr 2009 13:28:45 -0700 (PDT)
On Apr 6, 2:33 pm, John Doe <john....@xxxxxxxxxx> wrote:
Hi guys, thanks for your answer!
Joseph Ashwood wrote :>>SecurIDdepends on a lot of things remaining secret. Either the
algorithm had to remain secret in order for the device ID numbers to not
be useful, the algorithm was published. The device ID number is printed
clearly on hardware devices, this is necessary for registering the token
with the server. For security the server must remain secure, its
security has been questioned repeatedly. For the security currently
offered it depends on the secrecy of the ID number, it can be argued
that this is actually SAFER with a PDA because at least the attacker has
to dig around the PDA instead of just checking the back.
SecurIDis certainly safer than password alone, butSecurIDis one more
in a long series of not quite complete solutions. For what it is,
SecurIDis a wonderful solution, but just as with any other tool if you
attempt to applySecurIDto the wrong situation it will be insecure.
Joe
Well let's suppose the algorithm is public, & let's also suppose that
the server is secure. The ID number is to me a way for the server to
retrieve the seed (which is stored on both the device & the server).
The ID number can be public, but the seed needs to remain private. To me
a PDA is storing a seed (& maybe an ID), so the hacker can retrieve the
seed.
On a hardware token, the ID may be visible, but the seed is supposed to
erase itself if a hacker is trying to read it. & with the ID only it
isn't possible to generate tokens based on the algorithm. So to me a
hardware token is assuring (to an extend) 2-factor authentication, while
a PDA isn't.
Ari© wrote :>> RSASecurIDtwo-factor authentication is based on something you know
(such as a password or a PIN) and something you have (an authenticator
such as a smart card). Your definition of 2-factor might be different?
Clearly not, your definition is perfect for me. I think the "something
you have" part needs to be part of the authentication (which means its
goal is to authenticate you, which means the data it provides is not
easily available for anyone, e.g. for a hacker). I also think that if a
hacker is able to get control of your PDA for 5 minutes, it can get the
PDA's memory, read the seed & would be able to copy it & generate valid
tokens at any time. Than tokens become useless & only the PIN remain
hidden, so we go from a 2-factor authentication to a simple PIN-based
1-factor authentication. On hardware tokens, the seed is stored in a
This is the definition of two-factor authentication - stealing one
factor doesn't get you anywhere :). It is no different than stealing
the hardware token. Except that the user is also interested in
protecting the PDA.
It's a trade-off between convenience, cost and security.
Nick
--
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Commercial/Open-source Two-Factor Authentication
.
- Follow-Ups:
- Re: about SecuriID on mobile devices
- From: John Doe
- Re: about SecuriID on mobile devices
- References:
- Re: about SecuriID on mobile devices
- From: John Doe
- Re: about SecuriID on mobile devices
- From: John Doe
- Re: about SecuriID on mobile devices
- Prev by Date: Re: Using RC4D3
- Next by Date: Re: Cypher Resistant to Differential Cryptanalysis
- Previous by thread: Re: about SecuriID on mobile devices
- Next by thread: Re: about SecuriID on mobile devices
- Index(es):
Relevant Pages
|
Loading
