[1076] in cryptography@c2.net mail archive
Re: Thoughts on the next target.
daemon@ATHENA.MIT.EDU (Frank Willoughby)
Tue Jun 24 14:27:55 1997
Date: Tue, 24 Jun 1997 09:13:24 -0500
To: "Marcus Leech" <mleech@nortel.ca>
From: Frank Willoughby <frankw@in.net>
Cc: dpj@world.std.com (David P. Jablon), cryptography@c2.net
At 09:59 PM 6/23/97 -0500, Marcus Leech wrote:
8< [snip]
>Brute-forcing the SecurID hash algorithm, for example would require
> that someone violate their license agreement with Security Dynamics/RSA.
> "Algorithm Thieves today showed that SecurID cards aren't as secure
> as manufacture claims".
Actually, an attacker doesn't need to crack the SecurID hash algorithm.
It's too much trouble & doesn't get you anywhere. Just let the user
log in to the system, disable the user's system (flooding attack) & take
over the session (session hijacking).
Any authentication-only mechanism (SecurID, Digital Pathways, S/Key,
etc.) is vulnerable to this attack. The only serious defense against
session hijacking requires end-to-end encryption (of course). 8^)
>----------------------------------------------------------------------
>Marcus Leech Mail: Dept 8M86, MS 238, CAR
>Systems Security Architect Phone: (ESN) 393-9145 +1 613 763 9145
>Systems Security Services Fax: (ESN) 395-1407 +1 613 765 1407
>Nortel Technology mleech@nortel.ca
>-----------------Expressed opinions are my own, not my employer's------
>����
>����
>
The opinions of the author of this mail may not necessarily be
representative of the opinions of Fortifed Networks, Inc.
Fortified Networks, Inc. - http://www.fortified.com/
Expert (vendor-neutral) Computer and Network Security Consulting
Phone: (317) 573-0800 Fax: (317) 573-0817
