=?ISO-8859-1?Q?J=FCri_Kaljundi?= wrote: | Wed, 7 Aug 1996 anonymous-remailer@shell.portal.com wrote: | | > F2 is a secret hash from SecurityDynamics, and is used in | > their client software. (Its not the hash in the cards, but | > if anyone has a copy of that, it might be fun.) | | As I have to deal with SecurID tokens in the nearest future, I would like | to hear more opinions about these cards. IMHO a proprietary algorithm like | used in those cards is a bad thing and I would like an open approach much | more, I still believe SecurID OTP cards are much better then usual | passwords. I happen to run a mailing list, sdadmin, for folks to talk about SDTI technologies. Talk to majordomo@jabberwocky.bbnplanet.com. There are a number of cards out there. I've been looking at CryptoCard & SNK recently, as well as V-One's smartmouse & virtual smart card technologies. I'd be very interested in seeing the algorithims come out, especially F2. I have a few attacks that look very nice on paper that I'd like to try out. | At Defcon this year they promised to tell about some security flaws in | SecurID tokens, anyone know more about that? My understanding is that the guy who was going to give the talk had nda difficulties. Vin? Did you make it out? The talk was going to be on race conditions, denial of service attacks, and the like. | Personally I believe that Security Dynamics should come out with some kind | of new systems in the nearest future, now that they own RSA.=20 This should be interesting, if they can find people to make things happen before 2000. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume

This doesn't work as of version 1.3(?) and later. There is a time delay before the 'ok' message is sent by the server. If it gets two correct login attempts in the delay period (1-5 seconds, default 2), it assumes an attack is underway and rejects them both. Adam =?ISO-8859-1?Q?J=FCri_Kaljundi?= wrote: | Wed, 7 Aug 1996, Adam Shostack wrote: | > J=FCri Kaljundi wrote: | > | At Defcon this year they promised to tell about some security flaws in | > | SecurID tokens, anyone know more about that? | > =09My understanding is that the guy who was going to give the | > talk had nda difficulties. Vin? Did you make it out? The talk was | > going to be on race conditions, denial of service attacks, and the | > like. | | This is something that seems to be a little problematic to me. Considering | the 3-minute time slot, it seems fairly easy to somehow block the SecurID | server at the time a user is sending his username/passcode, steal that | information and allow a malicious user to enter that information into the | server. Or have I misunderstood some security aspects? | | J=FCri Kaljundi | AS Stallion | jk@stallion.ee -- "It is seldom that liberty of any kind is lost all at once." -Hume