On Tue, 30 Jul 1996, C Matthew Curtin wrote:
> >>>>> "jlb" == LAN Administrator <bcislan @
txdirect .
net> writes:
>
> jlb> We are researching a product called Ascend Max used in
> jlb> cooperation with Security Dynamics SecurID and it looks very
> jlb> good. Pretty expensive but very secure.
>
> Is SecurID an encrypted link? It's foggy-memory-time, but don't they
> just do hand-held authenticator things, or am I thinking of someoen
> else.
No, SecurID is only authentication, not encryption
> Anyway, hand-held authenticators are only good for passive attacks
> like sniffing. Given the relative ease with which someone can turn
> sniffing into session hijacking, cleartext one-time passwords aren't
> very useful. I would dismiss the product unless it has the ability for
> encrypted links, like SSH or STel.
I disagree:)
First, it screens out a large class of attacks (sniffing passwords).
Second, you can't hijack a connection until one is established, and the
hijackee may very well complain. Third, the hijacked session may or may
not get the hijacker where she wants to go, and if the ultimate
destination is protected by SecurID the hijacked session won't help
without the card.
I agree that it's not a 100% fix. End to end encryption would be a lot
closer. Just because laws against murder don't prevent all murders
doesn't mean they're useless:)
--- David Miller
----------------------------------------------------------------------------
It's *amazing* what one can accomplish when
one doesn't know what one can't do!
References:
|
|
