Firewall Wizards mailing list archives

RE: Token based OTP: SafeWord or SecurID?

From: Ben Nagy <ben.nagy () marconi com au>
Date: Thu, 23 Nov 2000 11:39:25 +1030

-----Original Message-----
From: Tommy Ward [mailto:tommy () securify com]
Sent: Wednesday, 22 November 2000 10:18
To: ark () eltex ru
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] Token based OTP: SafeWord or SecurID?

As far as the algorithm, it is patented, and it is 
implemented in several
software products, including the ACE/Server and the software 
version of
the token.  That means it is not really very secret....


Indeed. I've heard from several different sources that you can request to
eval the algorithm under NDA - which lots of people have done.


What makes me wonder more about the "secret technology" 
involved in this
case is the deduced limitation on the crypto used.  If you 
think about the
hardware based SecurID card having up to a 4 year battery 
life[...]


To put it very mildly, I don't think you've hit on a very good indicator of
the security, or otherwise, of the Brainard hash.

I would guess that a brute force analysis should be able to compromise
any given SecurID account in a short period of time.  If you 
had only a
few samples of plain text (the time of day) and cypher
text (the OTP), this should be a computationally easy task.


I'd suggest that your guess is exactly that - and a bad one. If the hash is
"hard" to invert then you can have as many samples of time and ciphertext as
you like. You still can't deduce the random seed. That only leaves brute
force of the seed as an attack. Do you _really_ think that the seed would be
so small as to make brute force "computationally easy"? Take a look at the
distributed.net stats for brute force - they're still going on RC5-64 and
cranking 131 odd gigakeys/sec.

Overall, I think that when you effectively suggest that many large and well
funded organisations / governments have chosen to use a solution that is
"computationally easy to brute force" you're vastly underestimating the
intelligence of many very, _very_ smart people.

....Tommy


Cheers,

--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Token based OTP: SafeWord or SecurID? Stephen Legge (Nov 17)
- <Possible follow-ups>
- Re: Token based OTP: SafeWord or SecurID? ark (Nov 18)
  - Re: Token based OTP: SafeWord or SecurID? Tommy Ward (Nov 23)
- Re: Token based OTP: SafeWord or SecurID? Steven M. Bellovin (Nov 24)
- RE: Token based OTP: SafeWord or SecurID? Ben Nagy (Nov 24)
  - RE: Token based OTP: SafeWord or SecurID? John Adams (Nov 26)
- RE: Token based OTP: SafeWord or SecurID? Ben Nagy (Nov 28)