mailing list archives
RE: Token based OTP: SafeWord or SecurID?
From: Ben Nagy <ben.nagy () marconi com au>
Date: Thu, 23 Nov 2000 11:39:25 +1030
From: Tommy Ward [mailto:tommy () securify com]
Sent: Wednesday, 22 November 2000 10:18
To: ark () eltex ru
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] Token based OTP: SafeWord or SecurID?
As far as the algorithm, it is patented, and it is
implemented in several
software products, including the ACE/Server and the software
the token. That means it is not really very secret....
Indeed. I've heard from several different sources that you can request to
eval the algorithm under NDA - which lots of people have done.
What makes me wonder more about the "secret technology"
involved in this
case is the deduced limitation on the crypto used. If you
think about the
hardware based SecurID card having up to a 4 year battery
To put it very mildly, I don't think you've hit on a very good indicator of
the security, or otherwise, of the Brainard hash.
I would guess that a brute force analysis should be able to compromise
any given SecurID account in a short period of time. If you
had only a
few samples of plain text (the time of day) and cypher
text (the OTP), this should be a computationally easy task.
I'd suggest that your guess is exactly that - and a bad one. If the hash is
"hard" to invert then you can have as many samples of time and ciphertext as
you like. You still can't deduce the random seed. That only leaves brute
force of the seed as an attack. Do you _really_ think that the seed would be
so small as to make brute force "computationally easy"? Take a look at the
distributed.net stats for brute force - they're still going on RC5-64 and
cranking 131 odd gigakeys/sec.
Overall, I think that when you effectively suggest that many large and well
funded organisations / governments have chosen to use a solution that is
"computationally easy to brute force" you're vastly underestimating the
intelligence of many very, _very_ smart people.
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
firewall-wizards mailing list
firewall-wizards () nfr com