Firewall Wizards mailing list archives

RE: Token based OTP: SafeWord or SecurID?

From: Ben Nagy <bnagy () sa volante com au>
Date: Wed, 27 Sep 2000 15:29:14 +0930

[snip]


Out of curiosity does anyone know if there are Smart-Card 
security cards 
out there the work on public Key cryptography? (Computer passes you a 
random token, card signs it and passes it back? System verifies it by 
checking against public key)[snip]


I know this isn't really a crypto list, but it's worth noting - that's a
_really_ bad protocol.

BIG CRYPTO TIP:
Never sign something that you didn't create or modify. 

You'll note that all decent auth protocols that use a public key signature
NEVER sign anything that doesn't include some random addition that is made
by the client. This is to prevent "chosen ciphertext attacks".

In short, if you were using the protocol as you outline it above an attacker
could generate false signatures from you or decrypt any message encrypted
with your public key. Nasty, huh? [1,2]



daN.


Cheers,

[1] Applied Cryptography, Chap 19.3
[2] http://theory.stanford.edu/~dabo/abstracts/RSAattack-survey.html (2.2 -
'Blinding')
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520  

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

RE: Token based OTP: SafeWord or SecurID? Ben Nagy (Oct 01)
- <Possible follow-ups>
- Re: Token based OTP: SafeWord or SecurID? kadokev (Oct 01)