[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] SecurID token crackable...
Chris, Point taken and understood... but if you would have taken the time to read the note from SANS it already said what you are trying to say... note: "...Now that this algorithm has been duplicated, the security of the token is based only on the token initializer and the PIN used to access the system protected by the token. Therefore, it is extremely important that these files be properly protected. It should be assumed that if the initialization files have been compromised, so has the entire token system. These files are often stored on a floppy disk..." No need for argumentative comments.... hehe. -----Original Message----- From: Christopher Byrne [mailto:[email protected]] Sent: Saturday, December 30, 2000 10:41 PM To: Amin Tora; 'FW-1-MailingList (E-mail)' Subject: RE: [FW1] SecurID token crackable... This is not exactly news. If you have those file and access to the secureid algorithm anyone could generate the correct token codes. If you have those files and are a SecureID customer you can simply import them, change some clocks around using the software client, and figure out what all of the responses for a particular token for the next 2-4 years. THe security fo SecureID has always depended on keeping the seed files secure. That still doesn't give you the pin's for the users. If you are using a strong pin (8 characters, allow alpha, case sensitive) then they will need to sniff your users sessions (and know that they have the correct session) in order to gain access. Chris Byrne -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Amin Tora Sent: Saturday, December 30, 2000 22:03 To: FW-1-MailingList (E-mail) Subject: [FW1] SecurID token crackable... Hey... I know it is not directly related to FW-1... but a lot of you may be using SecurID tokens/+ACE server along with with FireWall-1 ... Just received this mail from SANS and thought I should spread the word... I.C. Weiner claims to have code that will generate the response to the ACE server's challenge as long as you have the ASC files... (files that come on a floppy when you buy your tokens)... ...another reason to highly and extremely protect that floppy and files!!!!!!... see note from SANS below... excerpt from SANS news release (SANS Windows Security Digest Vol. 3 Num. 12 [email protected]) --------- "3.3. RSA SecurID Token is Crackable I.C. Wiener released sample code showing how to generate SecurID token responses without having the physical token. According to the advisory, the algorithm is easily breakable if one has access to the ASC files used to initialize the tokens. Essentially, the code sample Wiener released is a SecurID emulator. This is interesting because RSA has claimed that part of the security of SecurID is the security of the algorithm it uses. Now that this algorithm has been duplicated, the security of the token is based only on the token initializer and the PIN used to access the system protected by the token. Therefore, it is extremely important that these files be properly protected. It should be assumed that if the initialization files have been compromised, so has the entire token system. These files are often stored on a floppy disk. As of this writing, it appears that observation of the numbers on the token is not enough, however, to determine the card secret." ---------- Amin Tora Secure+ ePlus Technology This message may contain confidential and/or proprietary information, and is intended only for the person / entity to whom it was originally destined. The use of this information and unauthorized access to this information for any other means is strictly prohibited. The content of this message may also contain private views and opinions that do not constitute a formal disclosure or commitment unless specifically stated. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|