Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Hardware/software secureIDs - pros and cons.
From: "Levenglick, Jeff" <JLevenglick () fhlbatl com>
Date: Fri, 29 Jun 2007 16:46:37 -0400

Not entirely true. Hardware tokens have a 'seed' that must be loaded on
the server. (you get a cd with the seeds when you buy the tokens) There
are many cracker programs out there that will display the next token
value if you have a seed record. (some even sniff networks to find
values) The cd even has a nice big warning label advising you of this
issue. Ie: if someone gets the seeds, you might as well throw out your
tokens.

Software tokens are a little cheaper, but not much. They expire the same
as hardware tokens. 

If you loose a token, there is nothing a person can do if they do not
know the pin for that token. Software can be cracked.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Carl-Johan Bostorp
Sent: Friday, June 29, 2007 3:38 AM
To: eladexposed () gmail com; pen-test () securityfocus com
Subject: Re: Hardware/software secureIDs - pros and cons.

What are the pros and cons for using hardware RSA SecureID/Other and
software with the same characteristics?

Main argument for using hardware: Security. There's no feasible way for
an attacker to get the seed value. If it's software, then compromised
machine => compromised seed value => attacker can login whenever he/she
choose to.

A con would be that the token can be forgotten or lost, whereas if it's
software then depending on where you have it (PC, cell phone) you'll
always have it available. If the device with the software crashes, you
can always just install it elsewhere and enter the seed value again.

I also believe the price favors the use of software.

Another option to discuss is whether it's perceived as easier by the
end-user with a physical token or a software installation. This might
depend on where the software is installed. If it's a browser toolbar and
you're logging on to a web site, then I guess that's pretty nice. But if
it's installed on a cell phone or PDA, a physical token would probably
be perceived as easier since the numbers are readily available without
any extra steps.
 
Greets,
CJ

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------

-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]