Marcus J. Ranum wrote:
> SecurID and many HHAs rely on "secret key" techniques
> for security. In other words, there is some kind of hidden
> shared secret which is used to encrypt/authenticate. That is
> not anywhere even remotely at all like being in the ballpark
> of "security through obscurity" unless you call having a
> secret encryption key "obscurity" in which case virtually
> all security is via obscurity and nothing more.
I'm not saying it's in the same league as hiding the phone number
of the dial-in line, but it is STO. OK, it's a wide field. The
discussion was whether or not STO is a Bad Thing. As you're aware,
hiding the number of the dial-in line is a bad idea, asking for
a pseudo-HHA authentication is a bad idea, etc, but the various
other components such as HHAs do use obscurity. It's just a lot
better than the two cases above. How do you define the difference?
Do you draw a line in the sand and say any scheme like this is STO,
but the others aren't? What, in your mind, is the delineation?
I'm asking that as a serious question, not a rhetorical one. At
first glance, the difference is that it is easy enough to crack
the first two examples, and nigh on impossible to crack the HHA.
Rick mentioned the fact that one is easy to change, and the other
isn't. In his example, a password can be changed readily, as can
an HHA. Fair enough.
> "seed" is not the right word. "key" is.
According to SDI (via Vin) the correct phrase is "card code".
> The reason for the confusion is because you assumed that
> the cipher "key" == "the card serial number"
Actually, technically, this was a connection made by someone else.
I used the phrase "serial number" not in the context of whatevers
on the back, but what the thing is programmed with off the line.
I don't actually have a SecurID card in front of me, although there
is a Digital Pathways HHA somewhere on my desk. Mea Culpa. I
shouldn't have said serial number, or seed, or key, I should have
said "card code". Guilty. Most of the vitriole came from people
who assumed I meant some sort of public information on the back of
the card, and that I implied that the algorithm was the only thing
which was secret. Not true.
> The reason
> people are jumping on you is because your statement sounded
> more authoritative than you perhaps intended it to.
People were up in arms because they feel I implied some sort of
weakness with the SecurID card which was never the intention nor
> It's not
> unlike arguing that Digital Pathways calculators may be
> insecure because the key inside is a permutation of the serial
I never made the point that they were insecure. Yes, I should have
said Digital Pathways, or "Hanks Handheld Authenticators". For that
matter I didn't state that the key inside is a permutation of the
serial number on the back.
> No, it is not "Security Through Obscurity" by any of
> the uses of the expression I can imagine.
This is because you have a defining line which delineates that which
you consider STO, and that which you consider something else. What
is that line? Does the fact that you don't have the source to NT
a good STO or a bad STO? OK, there are different issues here, such
as MTTR times, etc. A lot of people didn't have source to fingerd,
but RTM did.
> Methinks you misspoke slightly and came across as sounding
> like you thought you knew something you turn out to know nothing
That's your assumption and you're entitled to it, but it is a large
assumption if you read what I wrote, not what people replied to.
However, I resent the implication. Vins reply was a lot more
informative, and a lot less supercilious.
Dermot Tynan +353 91 754608
com DTN: 822-4608
Digital Equipment International BV, Galway, Ireland