Re: PKI and RADIUS

Ge' Weijers (ge@Progressive-Systems.Com)
Wed, 24 Feb 1999 14:31:28 -0500

• Next message: Lewis McCarthy: "Re: cost for cracking 512 bit RSA?"
• Previous message: Jim Gillogly: "Re: cost for cracking 512 bit RSA?"
• Maybe in reply to: Thomas Roessler: "cost for cracking 512 bit RSA?"
• Next in thread: C: "RE: PKI and RADIUS"

On Tue, Feb 23, 1999 at 09:59:43AM -0600, Bauer, Michael (C)(STP) wrote:
> At any rate there's gotta be a better (or at least cheaper but equally
> strong) way to authenticate users for dial-up or VPN than hard tokens.

Hard tokens provide one thing not available in software-only
solutions: the credentials are hard to copy. PK crypto and
certificates don't buy you much by themselves. Digital certificates
can be stolen surreptitiously from a laptop's hard disk, and an
offline dictionary attack on the encrypted private key is likely to
succeed.

In short: you may be better off just using passwords, especially if
you use an authentication method that does not leak any information
about the password.

Bruce Schneier made a passing reference to a product he had audited
that provided something like 'software tokens'. You'd need both the
'token' and a secret password to gain access, and offline attacks are
supposedly impossible. He could not discuss the internals yet because
he signed an NDA. I wonder whether it's available by now....

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220

• Next message: Lewis McCarthy: "Re: cost for cracking 512 bit RSA?"
• Previous message: Jim Gillogly: "Re: cost for cracking 512 bit RSA?"
• Maybe in reply to: Thomas Roessler: "cost for cracking 512 bit RSA?"
• Next in thread: C: "RE: PKI and RADIUS"