Re: Cryptanalysis of SecurID (ACE/Server)

Perry E. Metzger (perry@piermont.com)
Thu, 01 Oct 1998 19:53:27 -0400

• Next message: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Previous message: Perry E. Metzger: "Re: Cryptanalysis of SecurID (ACE/Server)"
• In reply to: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Next in thread: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Reply: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"

"John Moore" writes:
> > Okay. So, we've changed the problem from stealing the laptop to
> > stealing the token in the guy's wallet. Could you explain why this is
> > better in some way?

> Yes. The two fact works if the guy doesn't have a laptop. If he is using
> some other system to make access (yes, I know, it could have a trojan in
> it).

As I've noted, however, you can hijack the guy's TCP session if he
isn't running some sort of cryptographic authentication on the entire
connection anyway. If you want to use SecurID from a telnet from some
random machine, you are asking to be hacked.

Perry

• Next message: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Previous message: Perry E. Metzger: "Re: Cryptanalysis of SecurID (ACE/Server)"
• In reply to: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Next in thread: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Reply: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"