RE: Clear text password exposure in Datakey's tokens and smartcards

[Curt Sampson <cjs () cynic net>]

On Fri, 6 Aug 2004, Dana Hudes wrote:

>  On Fri, 6 Aug 2004 Bart.Lansing () kohls com wrote:
>
> > RSA has been doing PIN cards for ages...I don't get the hangup on
> > SmartCards vs "plain old" something you have/something you know two factor
>
> as I understand it a "PIN Card" is a card with an EEPROM on it that
> contains a PIN.  Possibly encrypted but its the same effect as any other
> file. The host decides if the PIN matches.

The RSA SecurID system is a hardware token that generates a new number
every minute using a sequence generator and a seed that is effectively
a shared secret between the hardware token and the authentication
server. You take the current minute's number and, usually, some other
authentication information (such as a PIN or password) and pass both
of those back to the authentication server, which will then determine
whether the authentication is valid.

It's a bit expensive, but it works ok.

RSA also sells "software tokens" which are the same thing, but as
software that runs on a PC or handheld. This is particularly expensive
for what you get, since the token is easily copied from the device, with
no indication that it's been stolen. (At least with the hardware tokens
you know when it's been stolen.) And it's also quite expensive: they
charge $25-$80 for a "1 year" software token. I wish I had the gall to
sell large quantities of 128 bit random numbers for $25 each.

cjs
-- 
Curt Sampson  <cjs () cynic net>   +81 90 7737 2974   http://www.NetBSD.org
    Don't you know, in this new Dark Age, we're all light.  --XTC

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html