lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.NEB.4.58.0408090732460.459@angelic-vtfw.cvpn.cynic.net>
Date: Mon, 9 Aug 2004 07:39:53 +0900 (JST)
From: Curt Sampson <cjs@...ic.net>
To: Dana Hudes <dhudes@...-ip.info>
Cc: Bart.Lansing@...ls.com, bugtraq@...urityfocus.com,
   full-disclosure@...ts.netsys.com
Subject: RE: Clear text password exposure in Datakey's
 tokens and smartcards


On Fri, 6 Aug 2004, Dana Hudes wrote:

>  On Fri, 6 Aug 2004 Bart.Lansing@...ls.com wrote:
>
> > RSA has been doing PIN cards for ages...I don't get the hangup on
> > SmartCards vs "plain old" something you have/something you know two factor
>
> as I understand it a "PIN Card" is a card with an EEPROM on it that
> contains a PIN.  Possibly encrypted but its the same effect as any other
> file. The host decides if the PIN matches.

The RSA SecurID system is a hardware token that generates a new number
every minute using a sequence generator and a seed that is effectively
a shared secret between the hardware token and the authentication
server. You take the current minute's number and, usually, some other
authentication information (such as a PIN or password) and pass both
of those back to the authentication server, which will then determine
whether the authentication is valid.

It's a bit expensive, but it works ok.

RSA also sells "software tokens" which are the same thing, but as
software that runs on a PC or handheld. This is particularly expensive
for what you get, since the token is easily copied from the device, with
no indication that it's been stolen. (At least with the hardware tokens
you know when it's been stolen.) And it's also quite expensive: they
charge $25-$80 for a "1 year" software token. I wish I had the gall to
sell large quantities of 128 bit random numbers for $25 each.

cjs
-- 
Curt Sampson  <cjs@...ic.net>   +81 90 7737 2974   http://www.NetBSD.org
    Don't you know, in this new Dark Age, we're all light.  --XTC

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ