RE: Cryptanalysis of SecurID (ACE/Server)

New Message Reply About this list Date view Thread view Subject view Author view

John Moore (jmoore@speedchoice.com)
Thu, 1 Oct 1998 16:49:05 -0700


> -----Original Message-----
> From: Perry E. Metzger [mailto:perry@piermont.com]
>
> Encryption technology has many uses. Although you may be unfamiliar
> with the use of encryption for authentication, the developers of
> technologies like IPSec and SSH do not seem to have been ignorant
> of these techniques. MACs and digital signatures are hardly shocking
> and unknown technologies.

> The token isn't bonded to the person's skin. It is just as easily
> stolen as anything else -- like their laptop with their (encrypted)
> private key, say.
[...]
>
> Okay. So, we've changed the problem from stealing the laptop to
> stealing the token in the guy's wallet. Could you explain why this is
> better in some way?
>
>
Yes. The two fact works if the guy doesn't have a laptop. If he is using
some other system to make access (yes, I know, it could have a trojan in
it). Or, if he is using a shared system. In other words, one could consider
the securID token sort of like a portable key - it can significantly reduce
key/certificate management problems and increase security.

I might be at a friend's home and need secure access to a critical system.
How do I do that in a secure manner - for example, one that doesn't allow
him to simply grab my password and use it later?
What methodology verifies by both physical and secret-knowledge encryption?
How would you achieve this?

With a time-varying token, I know how to do this (understanding the
weaknesses of the system that have been posted here already).

John>


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:19