Vin McLellan (vin@shore.net)
Tue, 29 Sep 1998 22:34:28 -0400
Michael Bauer <mick@tiny.net> asked the List:
>| Has anybody performed or know of a cryptanalysis of the time-based
>| password system used by Security Dynamics' SecurID - ACE/Server system?
Perry Metzger <perry@piermont.com> dismissed the whole genre of
hand-held authentication tokens: "In a world of TCP hijacking, who cares if
the one time system is good?"
(Maybe someone who really wants to know who is coming through the VPN?)
Adam Shostack <adam@homeport.org> suggested his 1996 study,
"Apparent Weaknesses in the Security Dynamics Client/Server Protocol,"
which is posted at: <http://www.homeport.org/~adam/dimacs.html> or dimacs.ps
(For an important footnote on the vulnerabilities Mr. Shostack was
searching for in his paper, you will also want to read John Brainard's note
to Adam at: http://www.homeport.org/~adam/brainard.html Brainard, now with
RSA Labs, was the cryptographer who designed SDTI's ACE/SecurID system in
the mid-1980s.)
Vinnie Moscaritolo <vinnie@vmeng.com> helpfully recommended
PeiterZ's 1996 paper, "Weaknesses in SecurID," which is still at:
<ftp://ftp.secnet.com/pub/papers/securid.ps>
(Anyone who digs that deep might find my comments on the PeiterZ
paper entertaining. See: <http://www.epm.ornl.gov/~dunigan/otp.txt> SDTI's
Engineering VP Jim Kotanchik also published a response to the SNI/PeiterZ
attack. See: http://www.securid.com/products/whitepapers/index.html )
Mr. Bauer noted:
>| I heard a rumor that "holes" had been found in it.
Me too. Rumors about popular crypto-based products ebb and flow,
but never really dissapear. The cup runneth over at the moment on SecurID.
One simple-minded scheme for subverting the SecurID was floated on
the Bugtraq List last week. (Why don't people test these things before they
publish?) The Hot Rumor of the Month, however, seems to be a tale that some
mentsh from the Cult of the Dead Cow (cDc) hacker collective has figured
out how to calculate/guess the random-number Seed for a particular SecurID
with only two consecutive SecurID tokencodes.
Grown men ask me about this with a straight face. Honest.
Place your bets as you will Ladies, but the House will bet heavily
on John Brainard's 13 year-old SecurID hash, which takes in a 64-bit secret
Seed, and a 64-bit representation of Current Time, and produces a 6-8 digit
tokencode which rolls over every 60 seconds. The SecurID hash is
proprietary, but a lot of smart people (some on this list) have looked at
it under NDA, or studied hot copies that have been in circulation for the
past several years.
As a prominent but proprietary crypto product, ACE/SecurID has
always attracted rumors, hackers, amateur cryptographers. With millions of
people watching those numbers roll over on their SecurIDs, I suppose it is
inevitable that a certain percentage will even find the experience mystical.
The ACE client/server infrastructure dates from '91, and uses a mix
of proprietary Rivest hashes and DES symmetric crypto to manage an
authentication process that almost cries out for a PKC backbone. Many have
complained about the pace of change in the ACE protocol, particularly since
SDTI bought RSADSI. Planning the upgrade of the ACE/Agent modules -- which
have been integrated into multiple product lines from 70-odd independent
third-party vendors world-wide -- turned out to be a fairly gargantuan
project.
In six months or so, however, SDTI will finally displace its
proprietary ACE protocol with its new RSA-based SecurSight architecture.
Standards-based crypto; published protocol; cert-based public-key
infrastructure. All the Good Stuff. Then a whole new cycle of rumors can
begin.
Suerte,
_Vin
-----
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A Thinking Man's Creed for Crypto _vbm.
* Vin McLellan + The Privacy Guild + <vin@shore.net> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:14:02