RSA SecurID SID800 Token vulnerable by design
Paul Zuefeldt
paul.zuefeldt at clearlogicsolutions.com
Sat Sep 16 17:17:49 EDT 2006
I wouldn't dispute any of the arguments made in the original or subsequent
posts on this topic pointing out that the programmatic interface to the
device opens a security hole. But I think it needs to be said that this is
only in the environment where trojans, etc., can infiltrate the machine.
Acknowledged... this is probably in 99.99% of the applications.
But in defense of the product, there are server-to-server type applications
that don't involve a human which wouldn't be able to provide this style of
two-factor authentication without a programmatic interface. And without
hardward-based security solutions for these types of systems, they are
vulnerable to compromise of keys and secrets by administrators. With a
little physical security and isolation from the types of use that put them
at risk for trojans, etc., the security hole under fire doesn't really
exist. These systems do gain more security... by providing a device that
doesn't allow an administrator to walk away with the secrets.
Maybe server-to-server applications weren't really the intended market for
this particular product, but the point is that you need to be careful with
blanket criticisms.
Regards,
Paul Zufeldt
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list