Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

RE: Token based OTP: SafeWord or SecurID?
From: John Adams <jna () retina net>
Date: Fri, 24 Nov 2000 17:22:36 -0500 (EST)

On Thu, 23 Nov 2000, Ben Nagy wrote:

-----Original Message-----
From: Tommy Ward [mailto:tommy () securify com]

As far as the algorithm, it is patented, and it is > implemented in
several > software products, including the ACE/Server and the software
version of > the token.  That means it is not really very secret....

Indeed. I've heard from several different sources that you can request to
eval the algorithm under NDA - which lots of people have done.

There was a fair amount of papers and discussions surrounding SecurId
around 1995/1996. Adam Shostack whote 'Apparent weaknesses in the Security
Dynamics Client/Server Protocol', available at:
http://www.homeport.org/~adam/dimacs.html

It's pretty good, although without any knowledge of the protocol itself
(as it's still private), most of the attempts in the paper are useless.

Also, a serious bug (copied here from the 1996 paper) was patched in the
hash algorithm:

 Security Dynamics was first notified of this bug in July 1996, when Mark
 Warner and Chris MacNeil told us that the bug had been found and fixed by
 adding the client secret key into the information hashed by F2, thus,
 wp=F2(IP, T, P, c). Details about when this happened were not provided.
 When we asked John Brainard about this in August, he suggested that the
 attack would work. Security Dynamics was notified about the planned
 publication of this paper in November.

There's a ton of links on this at: 
http://www.securityportal.com/list-archive/firewalls/1999/May/0027.html

--john

--
J. Adams                                        http://www.retina.net/~jna
You are supposed to be a consumer, a black hole for goods, advertising and
content. They only want to allocate enough upstream bandwidth for
10,000,000 buy buttons. Producing or sharing information is a subversive
act and will not be tolerated. -anonymous coward on /.




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]