debunking snake oil
Vin McLellan
vin at theworld.com
Sun Sep 2 18:26:33 EDT 2007
At 12:40 PM 9/2/2007, Paul Walker wrote:
>I didn't realise the current SecurID tokens had been broken. A quick Google
>doesn't show anything, but I'm probably using the wrong terms. Do you have
>references for this that I could have a look at?
I'd also be interested in any evidence that the SecurID has been cracked.
Any credible report would have the immediate attention of tens of
thousands of RSA installations. Not to speak of EMC/RSA. itself, for
which I have been a consultant for many years.
AFAIK, there has never been a viable direct attack on a SecurID
hardware token -- except perhaps for DPA attacks against the old
64-bit SecurID tokens. DPA and similar side-channel attacks are a
generic threat to OTP tokens (as well as to any other ciphering
microchip), but the 128-bit AES SecurID that RSA introduced five
years ago to replace the classic 64-bit SecurID was also specially
designed to be DPA-resistant.
(There were also some fascinating, if wholly theoretical, statistical
attacks developed against to old SecurID by Biryukov, Lano, and
Preneel
<<https://www.cosic.esat.kuleuven.ac.be/pressReleases/ashf.pdf>https://www.cosic.esat.kuleuven.ac.be/pressReleases/ashf.pdf>
in 2003, and extended by Contini and Yin in '04
<<http://eprint.iacr.org/2003/205/>http://eprint.iacr.org/2003/205/>
-- but neither team was aware, when they wrote their papers, that RSA
was already filtering the random seeds used in the 64-bit tokens to
reduce the probability of the collisions their attacks planned to exploit.)
Today, the AES SecurID is pretty much the standard SecurID token,
although market demand has resulted in an increasingly broad array of
SecurID "soft tokens:" token-emulation applications for PDAs,
beepers, mobile phones, memory sticks, and PCs -- all of which have
the relative strengths and weaknesses of software crypto apps running
on potentially-accessible platforms.
In real-world implementations, SecurID installations have gotten more
vastly secure as VPNs and other end-to-end encryption has been used
to secure network links, but potential new threats have arisen
(particularly in the nascent mass market) with MitM attacks and new
malware like targeted trojans, which could possibly take over a
user's PC (and snatch the user PIN and an OTP for immediate
exploitation.) Such attacks have been reported, but -- like, say,
wiretapping -- they seem to be rare, cumbersome, and tend to draw
quick responses from LEAs.
If and when the market feels the threat deserves buttressing OTP
tokens with local client software for additional security, the IETF
has published an RFC on one option: RSA's EAP-POTP, the EAP protected
one time password protocol: <http://tinyurl.com/3a3uo8>. EAP-POTP is
one of the One-Time Password Specifications (OTPS), a series of
protocols, templates, and guidelines by which RSA and its many
partners have sought to standardize, for developers and integrators,
the use of OTPs in a wide variety of application environments to make
their use more trustworthy, predictable, and secure.
No security system is perfectly secure, of course, and AES may have
been cracked in some breakthrough, but I doubt it. Unsupported claims
that the SecurID is "snake old" seem rash, not to say unprofessional.
In its small but useful market niche, the simple SecurID,
complementing other security measures, has significantly enhanced the
security of thousands of IT and network environments for 20 years --
and will probably continue to do so, until (and perhaps only if) PKI
preempts its function with an alternative personal authentication token.
Suerte,
_Vin
----- in reference to --------------------
>On Sat, Sep 01, 2007 at 02:39:49PM +0200, Marcos el Ruptor wrote:
>
> > You can start with RSA SecurID, Texas Instruments DST40, Microchip
> > Technologies KeeLoq, Philips/NXP Hitag2, WEP RC4, Bluetooth E0, GSM A5...
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list