[LINK] Security tokens

Kim Holburn kim.holburn at gmail.com
Wed Nov 14 21:14:54 AEDT 2007 

On 2007/Nov/14, at 10:25 AM, steve jenkin wrote:
> The 6-digit key is some subset of a larger internal number.
> A new number is generated every 60 seconds - it effectively a very  
> slow
> stream cipher.
> Somewhere will be a security analysis... They've been around for a 2-3
> decades & in very high value targets - if they were obviously
> compromised, they'd be taken-over already. i.e. the number sequence
> crypto is very strong.
>
> No two devices (should) be using the same keys & sequence.
>
> There are two protections:
> - bad guys' guess is 1 in 10^6 per 60 seconds.
> - the server limits the number of authentication attempts [rate &  
> failed
> attempts]
>
> So, bad-guys have maybe 3 chances in 10^6 to break into a single
> secure-id (after they've gained the id/passwd). Pretty slim.
> It's way easier to hijack an established session [search for: hijack
> e-gold trojan]

It might be secure and it might not.  Banks are not exactly known for  
choosing technologically secure software systems or at least not  
being agile when it comes to new threats.  It might be just a show of  
security to make the client feel better.  It's way easier to get the  
punter to enter the key himself and pass that onto the bank.  A "man  
in the middle" style attack.  Security bypassed simply.

My bank requires at certain times a selection of pictures.  Harder to  
hijack, although I guess a malicious injection of javascript could do  
it.

> ----------------------------
>
>> From <http://www.rsa.com/node.aspx?id=3050>
>
> RSA SecurID authentication offers a unique, time-synchronous solution
> that automatically changes the user’s password every 60 seconds. This
> makes our solution more secure than event-synchronous systems with
> passwords that can be valid for an indefinite period of time and  
> easier
> to use than challenge-response systems that require multiple steps to
> generate a valid code.
>
> What’s more, RSA SecurID authentication is built upon the Advanced
> Encryption Standard (AES) algorithm, a recognized standard that is
> continuously scrutinized and challenged by cryptologists around the
> world to ensure its strength and dependability.
>
> RSA Security with its research arm, RSA Laboratories, is recognized  
> as a
> leading firm in the field of cryptography. We continue to evolve our
> solutions to meet emerging threats. By investing in RSA SecurID
> authentication you’re getting a proven and tested solution that will
> meet your needs for years down the road.
>
> -- 
> Steve Jenkin, Info Tech, Systems and Design Specialist.
> 0412 786 915 (+61 412 786 915)
> PO Box 48, Kippax ACT 2615, AUSTRALIA
>
> sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the Link mailing list