Bugtraq: Re: Re: Digipass Go3 Token Dumper (at least for 2006)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Re: Digipass Go3 Token Dumper (at least for 2006)

From: fcollyer () gmail com
Date: 25 Nov 2006 15:02:00 -0000

Thanks Hugo!

http://www.securityfocus.com/bid/21040 says: "(...)Digipass Go3 is prone to an insecure-encryption vulnerability 
because the device uses an insecure single-key encryption algorithm (...)"

That is not the case.
The C++ implementation that I've provided shows exactly the _opposite_!

Its core is 3DES_112(2 64 DES keys used) based.
I believe this was I misunderstanding from the list's guys. Nothing to worry seriously about.

I'm glad we have VASCO's clarification. And it seems to me that now the community is really free to analyze the 
truncation/decimalization side of Digipass.

Is it secure? Is it the best VASCO could've come with? And the key derivation process?...

Best regards,

Felipe Collyer
(a.k.a. faypou)

By Date By Thread

Current thread:

Digipass Go3 Token Dumper (at least for 2006) fcollyer (Nov 13)
- Re: Digipass Go3 Token Dumper (at least for 2006) Hugo van der Kooij (Nov 24)
- <Possible follow-ups>
- Re: Re: Digipass Go3 Token Dumper (at least for 2006) fcollyer (Nov 25)