lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 25 Nov 2006 15:02:00 -0000
From: fcollyer@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: Digipass Go3 Token Dumper (at least for 2006)

Thanks Hugo!

http://www.securityfocus.com/bid/21040 says: "(...)Digipass Go3 is prone to an insecure-encryption vulnerability because the device uses an insecure single-key encryption algorithm (...)"

That is not the case.
The C++ implementation that I've provided shows exactly the _opposite_!

Its core is 3DES_112(2 64 DES keys used) based.
I believe this was I misunderstanding from the list's guys. Nothing to worry seriously about.

I'm glad we have VASCO's clarification. And it seems to me that now the community is really free to analyze the truncation/decimalization side of Digipass.

Is it secure? Is it the best VASCO could've come with? And the key derivation process?...

Best regards,

Felipe Collyer
(a.k.a. faypou)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ