SecurID algorithm broken?

Dana J. Dawson dana at INTERPRISE.COM
Wed Mar 14 11:29:33 EST 2001 

"Michael H. Warfield" wrote:
>
> On Tue, Mar 13, 2001 at 12:42:33AM -0600, Patrick Bryan wrote:
> > Can anyone comfirm the, I guess, rumor about SecurID being broken? It came up
> > in a discussion recently and I am unsure if it is true.
>
>         Broken?  Define broken.
>
>         Published, yes.  It was published on BugTraq a couple of months
> ago.  Confirmed, yes.
>
>         It's also been analyzed by Mudge and KingPing (@Stake) and the
> news doesn't look real good.
>
>         Looks like a 64 bit crypto system with all the attendant strength
> against brute forcing.  That being said, the worst thing is that they pass
> the users PIN over the wire.  If someone CAN sniff enough tokens and the
> target is high enough priority to brute force the 64 bit "secret" then
> they already have your PIN and it's game over.
>
>         But being a high enough profile target to warrent brute forcing
> 64 bits is pretty significant.  Sniffing the half dozen tokens on top of
> that, makes it tougher (shoulder/desk surfing is possible but tricker to
> get the time values right).  Encrypting (SSL) the authenticating link
> eliminates the sniffing threat.
>
>         Broken?  No.  Beaten up, weakened, and staggering?  Maybe.
>
> > Thanks.
>
> > VPN is sponsored by SecurityFocus.COM
>
>         Mike
> --
>  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
>   (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
>
> VPN is sponsored by SecurityFocus.COM

Here's an analysis of the SecurID algorithm that some may find interesting:

  <http://www.atstake.com/research/reports/initial_securid_analysis.pdf>

Dana

--
Dana J. Dawson                              dana at interprise.com
Distinguished Principal Engineer            CCIE #1937
Qwest Communications International, Inc.    (612) 664-3364
600 Stinson Blvd., Suite 1S                 (612) 664-4779 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list