The Register - UK firm touts alternative to digital certs (fw d)

Trei, Peter ptrei at rsasecurity.com
Mon Oct 21 07:14:01 PDT 2002


> David Howe[SMTP:DaveHowe at gmx.co.uk] writes:
> 
> at Sunday, October 20, 2002 2:22 PM, Jim Choate
> <ravage at einstein.ssz.com> was seen to say:
> > http://theregister.co.uk/content/6/27659.html
> looks like a dumbed-down version of the secureID system.
> Basically, it works like this
> 
> 1. user enters five-digit pin code. code is in colours (four choices)
> not numbers though. Total pin keylength therefore ten bit.
> 2. device increments an internal counter, and generates a composite code
> comprising user id, current clock time and the internal counter (number
> of times card used, basically)
> 3. device uses single-DES to encrypt that data, and then binhexes it to
> give a keycode
> 4. user types in their username and keycode into website
> 5. website contacts quizid authentication server and verifies code is
> valid (and that account has enough to cover the transaction)
> 6. website completes transaction and bills quizid company
> 7. quizid company bills user's credit card.
> 
> the plus side here is that the website never knows the user's credit
> card details, and is given a oneshot authentication handle that is
> useless once verified.
> the downside is that the system has no way to verify an amount, and is
> only weakly protected (both in pin (weaker than the usual four digit ATM
> pin) and in transit (single-des????)
> 
[Disclosure: I work on SecurID]. 

This was discussed on Perry's Cryptography list last week.

It does look kind of like a "dumbed down SecurID" - but what 
it looks like even more is an ActivCard keychain token 
http://www.activcard.com/activ/products/end_user/activ_card_one/index.html
repackaged into a bigger form factor. The code generation scheme
appears similar as well. The Company Info page reveals that 
ActivCard actually manufactures the device. 

I'd be nervous about a availability with centralized servers,  
even if they are "triple redundant with two sites". DDOS 
attacks, infrastructure (backhoe) attacks, etc, could all 
wreck havoc.

I also wonder about scalability with centralized servers. A BBC article
http://news.bbc.co.uk/1/hi/technology/2334491.stm
claims 600 authentications/second, in a system which cost UKP 1M
in hardware alone. This is not really good enough if you're trying to
cover the world (or even just Britain) from one site. AOL gets about 
*50,000* login attempts per second at peak times, to give one admittedly 
extreme example.

Disclaimer: The above are my personal opinions only.

Peter Trei





More information about the cypherpunks-legacy mailing list