mailing list archives
RE: Token based OTP: SafeWord or SecurID?
From: John Adams <jna () retina net>
Date: Fri, 24 Nov 2000 17:22:36 -0500 (EST)
On Thu, 23 Nov 2000, Ben Nagy wrote:
From: Tommy Ward [mailto:tommy () securify com]
As far as the algorithm, it is patented, and it is > implemented in
several > software products, including the ACE/Server and the software
version of > the token. That means it is not really very secret....
Indeed. I've heard from several different sources that you can request to
eval the algorithm under NDA - which lots of people have done.
There was a fair amount of papers and discussions surrounding SecurId
around 1995/1996. Adam Shostack whote 'Apparent weaknesses in the Security
Dynamics Client/Server Protocol', available at:
It's pretty good, although without any knowledge of the protocol itself
(as it's still private), most of the attempts in the paper are useless.
Also, a serious bug (copied here from the 1996 paper) was patched in the
Security Dynamics was first notified of this bug in July 1996, when Mark
Warner and Chris MacNeil told us that the bug had been found and fixed by
adding the client secret key into the information hashed by F2, thus,
wp=F2(IP, T, P, c). Details about when this happened were not provided.
When we asked John Brainard about this in August, he suggested that the
attack would work. Security Dynamics was notified about the planned
publication of this paper in November.
There's a ton of links on this at:
J. Adams http://www.retina.net/~jna
You are supposed to be a consumer, a black hole for goods, advertising and
content. They only want to allocate enough upstream bandwidth for
10,000,000 buy buttons. Producing or sharing information is a subversive
act and will not be tolerated. -anonymous coward on /.
firewall-wizards mailing list
firewall-wizards () nfr com