RE: Cryptanalysis of SecurID (ACE/Server)

John Moore (jmoore@speedchoice.com)
Thu, 1 Oct 1998 17:01:36 -0700

• Next message: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Previous message: Perry E. Metzger: "Re: Cryptanalysis of SecurID (ACE/Server)"
• In reply to: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Next in thread: Bruce Schneier: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Reply: Bruce Schneier: "RE: Cryptanalysis of SecurID (ACE/Server)"

> -----Original Message-----
> From: Perry E. Metzger [mailto:perry@piermont.com]
> Sent: Thursday, October 01, 1998 4:53 PM
> To: John Moore
> Cc: CodherPlunks
> Subject: Re: Cryptanalysis of SecurID (ACE/Server)
>
>
>
> "John Moore" writes:
> > > Okay. So, we've changed the problem from stealing the laptop to
> > > stealing the token in the guy's wallet. Could you explain why this is
> > > better in some way?
>
> > Yes. The two fact works if the guy doesn't have a laptop. If he is using
> > some other system to make access (yes, I know, it could have a trojan in
> > it).
>
> As I've noted, however, you can hijack the guy's TCP session if he
> isn't running some sort of cryptographic authentication on the entire
> connection anyway. If you want to use SecurID from a telnet from some
> random machine, you are asking to be hacked.

And if the other guy has, let's say, encrypted VPN access? SSH? HTTPS? After
all, I might just be going to a secure website to do my work.

• Next message: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Previous message: Perry E. Metzger: "Re: Cryptanalysis of SecurID (ACE/Server)"
• In reply to: John Moore: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Next in thread: Bruce Schneier: "RE: Cryptanalysis of SecurID (ACE/Server)"
• Reply: Bruce Schneier: "RE: Cryptanalysis of SecurID (ACE/Server)"