[3252] in cryptography@c2.net mail archive
Re: Time Based Token?
daemon@ATHENA.MIT.EDU (Frank Willoughby)
Tue Aug 25 19:12:00 1998
Date: Tue, 25 Aug 1998 17:32:10 -0500
To: tzeruch@ceddec.com
From: Frank Willoughby <frankw@in.net>
Cc: cryptography@c2.net
In-Reply-To: <98Aug24.210954edt.43013@brickwall.ceddec.com>
At 09:11 PM 8/24/98 -0400, tench@cede.com allegedly wrote:
>Now that I am playing with my palm III, something came up that made me
>think of that token which displays a different number every 30 seconds.
>
>Would something that would do a SHA1 of about 1K of random data (as a
>shared secret), and the current time be secure? Or would it have to be
>more elaborate?
Sounds like Securid, Digital Pathways, or other similar
authentication-only technology. Assuming this is the case,
I wouldn't touch it with a 20-foot pole.
First, the connection is vulnerable to session-hijacking (taking
over the network session AFTER you have been authenticated and
are logged onto the target system). Generally, it would take
about 4 mouse-clicks to hijack your session.
Second, while your traffic shouldn't be susceptible to replay
attacks, the contents of your network sessions can be disclosed
to anyone with a semi-decent sniffer.
The most effective way of preventing session-hijacking and
inadvertent or unauthorized disclosure of confidential info
over a network is to encrypt the sessions from end-to-end.
You might want to check out VPN solutions from your major
firewall and InfoSec vendors. In alphabetical order, Raptor
are V-ONE are pretty popular and secure enough to do what you
want to do. (Before you ask, no, Fortified Networks is vendor-
neutral and doesn't sell any vendor's products).
A couple of tips on VPNs:
o What encryption algorithms are used? Avoid (like the plague)
any companies which utilize proprietary encryption algorithms.
o Are the encryption keys exchanged securely?
o I personally don't particularly care for SSL or SOCKS
(IMO, the only thing SOCKS is good for is chasing mice
around the White House). 8^)
o Where in the OSI stack does it operate?
o Look for vendors who have been doing this for a couple
of years. Doing VPNs right is difficult at best. It
takes a lot of time & serious security engineering
expertise to get it right.
o Is the VPN scalable? How will it roll out with a thousand
or a million sessions?
o Does it play with Microsoft? Network Neighborhood over a VPN
isn't very easy to do right.
o Check references (thoroughly)
o Forget "certifications" Some organizations will "certify"
security products. IMO, the only one that is worth a hoot
is the NSA. You may not like them, but they are free of
conflict-of-interest issues and their security testing
is pretty thorough. Some commercial organizations that
"certify" products don't exactly have a great track record
in certifying security products. I would have failed almost
all that were "certified". IMO, if I was still in Europe,
I would basically file the "certifications" in our storage
office (Room Number "00" or "WC"). 8^)
o Etc, Etc. I could go on, but this IS the cryptography maiing list.
Last, but not least, while VPNs employ cryptography, I suspect that
discussions about VPNs would probably be outside of the scope of this
mailing list. If you (or the moderator) feel that this thread is not
within the scope of this list, feel free to contact me off-line.
Best Regards,
Frank
The opinions of the author of this mail may not necessarily be
representative of the opinions of Fortifed Networks, Inc.
(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Fixed Price Contracts - Expert Information Security Officers
Phone: (317) 573-0800 Fax: (317) 573-0817
