This discussion has been going on for some while. SecurID has probably
been unfairly singled out (perhaps because they are widely used). Many of
the issues are relevant to all similar authentication mechanisms. I'll use
SecurID since I'm familiar with them and some of the conversations are
centered on them.
From my side conversations, I really don't think that knowing the serial
number will provide you any information related to the display. As I
recollect, SecurID has been approved by various security agencies as a means
of authentication. That tells me that someone outside Security Dynamics has
looked at the algorithms, card security, and such and determined that they
did things right. Based on the various people I've talked to, they are
reasonably confident that, even if someone knew the algorithm, it is
unlikely that all my cards will be hacked.
From a practical side: the 'firewalls' newsgroup mail is essentially
indicating that, if you knew the algorithm and seed, you could hack my
system. So where do you get the seed from? There are 2 places: the database
(which, if that is successfully hacked, I'm in big trouble) or the card.
(I'll ignore the database hack for this mail.)
Taking the "I can't believe it" scenario that the seed is tied to the
serial number, you get my card and serial number. If I was overly concerned
about that, I'd remove the serial number decal and replace it with my own
random value which would force you to physically open the card. (Yes, I'd
have to have a file which contained a map somewhere.) The other approach
would be to (blame spicy food and lack of sleep on this) determine the key
by looking at the numbers. Again, you'd need access to the card and lots of
time
Follow-Ups:
|
|
