Re: Token based OTP: SafeWord or SecurID?

[kadokev () msg net]

> There is a PIN PAD version of the SecureID in which you type the
> PIN into a keypad on the SecureID card or fob.  The PIN is
> combined with the time dependent code number (which normally
> shows up in the LCD in the standard version) and the newly
> factored number is displayed in the LCD.  You then type in and
> send this new number to the remote prompt.  Therefore the PIN
> is not sent across a communications channel in the clear.
 
SafeWord has similar functionality in their 'Platinum' token, as does
Axent and CryptoCard. The SafeWord token is interesting in that it appears
to offer the option of storing up to ten(?) distinct host keys, including
one SecureNetKey/DES token . SNK is the DES Challenge-Response scheme used by
Axent, and supported by Gauntlet, FWTK, and SafeWord auth servers.

We've seen too many of the large-format tokens destroyed by user error, so
this project is focusing on the smaller 'keyfob' tokens.

It appears that CryptoCard actually supports entering a PIN into their keyfob
format token, even though it only has a single button. The sales person I
spoke with couldn't give a very good description as to how this works.


> Rick Smith wrote:
> > > --On Monday, September 18, 2000 11:30 AM -0500 kadokev () msg net wrote:
> > > > I just recently noticed that unlike SecurID, SafeWord has no provision to
> > > > use a PIN in combination with their key fob 'Safeword Silver 2000' token,
> > > > so they are out of the running.

A few days ago (long before I signed Secure Computing's NDA last night, for
any lawyers reading this) I was told that the next release of SafeWord will
support using a PIN with the keyfob tokens.

That puts SafeWord back in the running, head-to-head with SecurID.


> > I've been told that the SecurID PIN is essentially a reusable password,
> > consisting of digits, that's used in conjunction with the key fob. To log
> > in, you enter both the number on the fob and the reusable password.

Most vendors offer a 'pinpad' style card where you type in the PIN (see above),
but for all of the keyfob tokens, (except maybe CryptoCard, I'll know if they
ever get me a demo) you are correct.
 

> > The advantage is that attackers must work harder -- they must first
> > intercept a successful login to retrieve the reusable part and then steal
> > the fob to get the one time part. Furthermore, it involves less hardware
> > since the fob doesn't need a keypad.
> >
> > On the other hand, it makes the PIN weaker since it can be sniffed. Does
> > anyone think this matters?

This matters somewhat, but mostly to the truly paranoid (me).

For example, your target has a laptop, and keeps their access token in the
laptop case, or logs in from their desk, and leaves their token in the desk
drawer. Or (heaven forbid) uses a 'soft token' installed on their computer.

First you install a keystroke logger on their computer (hardware or software),
then a few days later you can retrieve the token and the keystroke log. You
now have both factors needed for the 'secure' two-factor authentication.


I'm partial to the SNK-004 and similar hardware tokens with keypads and
challenge-response algorithms, where the PIN is used to decrypt the shared
secret. An invalid PIN will produce invalid results, there is nothing you can
do to the card to extract the PIN or the unencrypted key, neither exists
in the card except in them moment between when the user keys in his PIN and
the card displays the computed response.

Kevin Kadow
MSG.Net, Inc.

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards