Re: about SecuriID on mobile devices

Joseph Ashwood a écrit :
Let me try this a third time.

"John Doe" <john.doe@xxxxxxxxxx> wrote in message news:49df0998$0$6809$426a74cc@xxxxxxxxxxxxxxx
Paul Rubin a écrit :
Ilmari Karonen <usenet2@xxxxxxxxxxxxxx> writes:
That's a valid possibility, yes. Depending on the authentication
system, however, the attacker might risk discovery anyway just by
using a copied token.

If a token is copyable, then it is not a "something you have" factor
in two-factor authentication, since two people might have it. The
idea of tokens is that they are uncopyable, or at least difficult to
copy (e.g. something like a smart card).

Changing to a smart card changes everything. Trying to draw conclusions about one from the other is impossible. Any system like SecurID has to suffer from the same security problems, it must be trivial to copy the secret.

That's my point : a real hardware token which is tamper resistant or a smart card provide a reasonable resistance to copy ; I think a PDA doesn't.

And you are wrong. Many PDAs available today, and the major of PDAs sold, have a smartcard built into them, its called a SIM card and is related to the phone functionality that has become necessary.

Am I right or did I miss something ?

You have missed pretty much everything, repeatedly.

Can PDAs provide a "blackbox" in which something can't be copied without being erased ?

This question itself shows how much you miss. Anything that can be copied can be multiply copied, copy the data out, duplicate the open data, write it back in.

So, to summarize, you have misunderstood every single thing in the security, you have even failed to understand what SecurID does, or understand what PDAs offer, or understand the cryptography, you have even failed to understand basic copy semantics.
Joe

Wow, ok I'm not here to polemicate (even though it's kind of inherent in the usage of newsgroups / forums / usenet). I just can here to see if the security provided by a PDA/Smartphone implementation was as secure as one included in a tamper-resistant hardware token. I had the SIM card in mind, but I just wanted to see if it was the only solution, so I waited for another one to mention it. After two weeks, Paul Rubin did. Good. Now I just want to understand if a smartcard is the only solution to do a real two-factor authentication in a PDA, or if I missed something & there was another possibility with pure software (which I don't think, though I'm still uncertain about it).
I might have missed the whole point about security, I don't really care about it, that's not what I'm looking for.
Thanks for exposing your point of view, though.
John
.

Relevant Pages

  • Re: about SecuriID on mobile devices
    ... )> implementing most security devices, ... Tokens to assert identity or status were widely used long before the ... message that mentioned Grid Cards and S/Key lists, ... Physical OTP tokens ...
    (sci.crypt)
  • Re: about SecuriID on mobile devices
    ... )> implementing most security devices, ... Tokens to assert identity or status were widely used long before the ... message that mentioned Grid Cards and S/Key lists, ... Physical OTP tokens ...
    (sci.crypt)
  • [NT] Microsoft Windows Improper Token Validation
    ... Get your security news from a reliable source. ... Access tokens contain the following information: ... a thread can impersonate a client account. ... Tokens to access network shares using UNC. ...
    (Securiteam)
  • Re: Length vs Complexity
    ... for tokens as users can write the PIN on a label and fasten it to the ... security of the passwords can then be enhanced by persistently ... chip-and-pin debit/credit card. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)