Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Token based OTP: SafeWord or SecurID?
From: Tommy Ward <tommy () securify com>
Date: Tue, 21 Nov 2000 15:48:01 -0800

As far as the algorithm, it is patented, and it is implemented in several
software products, including the ACE/Server and the software version of
the token.  That means it is not really very secret....

What makes me wonder more about the "secret technology" involved in this
case is the deduced limitation on the crypto used.  If you think about the
hardware based SecurID card having up to a 4 year battery life, and the most
basic version displays a new OTP every 60 seconds whether you need it or
not, there can't be a very large number of clock cycles involved in computing
the OTP.   By comparison, we used to see about a 2 year battery life on
the old SNK token, which used an 8-bit processor to perform a single DES
computation to generate its OTP, and only did so when you need a new
OTP to authenticate with.

I would guess that a brute force analysis should be able to compromise
any given SecurID account in a short period of time.  If you had only a
few samples of plain text (the time of day) and cypher
text (the OTP), this should be a computationally easy task.

If you can pry it out of him, Mudge did enough work on this in about
1995 to prepare a paper on the subject, but he got "persuaded" not to
release it.


At 02:24 PM 11/17/2000 +0300, ark () eltex ru wrote:


BTW - did anyone try to reverse-engineer SecurID to find what algorithms are
inside there? I wonder why does it require hardware server if the only
requirement is accurate clock and software token does exist..

I'd prefer to know what is inside that thingies. My genreal policy is to avoid
"secret technologies".
                                     _     _  _  _  _      _  _

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]