Re: Announce: SecurID on PalmPilot available.

New Message Reply About this list Date view Thread view Subject view Author view

Vin McLellan (vin@shore.net)
Wed, 7 Apr 1999 04:59:55 -0400


 Bruce Schneier <schneier@counterpane.com> asked:
>Does this mean that the SecurID hash function is finally
>public?

        Nope, Brainard's 14 year-old hash is still proprietary. (You did
write something about old crypto being good crypto, didn't you? ;-)

        John Brainard, now with RSA Labs -- a SDTI subsidary -- has designed
a new token with equivalent functionality, standards-based crypto, and some
additional defenses against the "smartcard" attacks you and Paul Kocher have
blueprinted, but I don't know how quickly it will be rolled out or when.

        Even with ACE/SecurID-based authentication being replaced with
SDTI's new PKI-based Keon system, there is great demand for the SecurID --
both as a traditional two-factor hand-held authenticator (HHA), and (as an
alternative to a smartcard) an HHA which allows a token-holder to download a
key thru an SSL tunnel to unlock that user's PKI credential set.

        (In Keon, PKI credentials can be either stored encrypted on the
local workstation, or downloaded over SSL from a Keon Server on the network,
if the user is mobile -- or if he, or his Administrator, decides that his
local workstation can not be satisfactorily secured.)

        I think there are a few reverse-engineered copies of the SecurID
hash in illicit but limited circulation, but apparently no one has felt
that the world would be a better place if they were to published it. Any
SDTI customer -- and I suspect most potential customers -- can review the
SecurID hash (and documentation and critiques, from RSA and third-parties)
under NDA.

        Not the same as open review, I know -- but ACE/SecurID remains an
artifact of a different generation of applied cryptography, from before
there was much of a private-sector crypto community. I tell John Brainard
that it will end up diagrammed on the wall of a museum some day.

        Obligatory admission: SDTI has me on retainer as a consultant and
sometimes even heeds my advice and suggestions.

                Suerte,
                                 _Vin
--------
  "Cryptography is like literacy in the Dark Ages. Infinitely potent,
for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats
and others who deem only themselves worthy of such Privilege."
  _A Thinking Man's Creed for Crypto _vbm

 * Vin McLellan + The Privacy Guild + <vin@shore.net> *
      53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:21