From: Vin McLellan <vin@theworld.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] pathetic
Date: Mon, 1 Mar 2004 10:34:44 +0000 [thread overview]
Message-ID: <1f85b7d9.0402271411.f477f42@posting.google.com> (raw)
In-Reply-To: <20040227013823.0c2ba797@garlic>
Ron Minnich <rminnich@lanl.gov> asked:
>What I want to know is, what was Mr. Bill holding in his hand?
http://www.cnn.com/2004/TECH/biztech/02/25/microsoft.rsa.ap/index.html
>It sure got the journalists excited -- that picture was everywhere.
The AP photo slug described it an "encrypted tag" -- whatever that is
-- but Ron said "it looked like a USB dongle."
George Michaelson <ggm@apnic.net> reported:
.> Its SecureID re-worked into a smaller format from what I read
.> elsewhere.
Close but not quite accurate. It's the classic RSA SecurID key fob,
the same size as its been for the past six or seven years. Maybe like
many things -- markets, competitors, nations -- SecurIDs look smaller
when they are lie in the palm of Bill G;-)
RSA's SecurID, for those who don't know, is a hand-held
authentication token that uses the AES cipher to hash "Current Time,"
and a 128-bit secret, to generate (and continuously display in a small
LCD) a series of 6-8 digit pseudo-random tokencodes that flip over
every 60 seconds. (One-time passwords like this are typically used as
evidence of "something held," and are paired with a user-memorized PIN
or password, "something known," for two-factor authentication -- the
classical definition of "strong authentication.")
The key fob has been the most popular form-factor for the SecurID for
years, but many people -- including perhaps the AP photo editor --
still picture the SecurID as the credit card-size device that was its
most common "form-factor" through the late 1980s and early 1990s.
Today, however, there are 7 or 8 different SecurID form-factors,
including the SecurID card and key fob, but also including software
modules that can be downloaded for Palm Pilots, Pocket PCs,
Blackberries, Nokia and Sony/Ericsson mobile phones, as well as
desktop PCs (where the physical security justifies the added risk.)
There is a whole spectrum of greater and lesser security
associated with the implementations in these various form factors,
obviously, but market demand continues to push SecurID functionality
into devices the user already carries, and the SecurID's
trustworthiness ultimately boils down to RSA's cryptographic grip on
the 128-bit seed, the AES-protected shared secret.
I'll be surprised if RSA, for which I am a consultant, doesn't
finally deliver, in '04, the SecurID wristwatch that SecurID inventor
Ken Weiss was talking about in '87. Guessing that the SecurID is
shrinking was smart, George -- but the SecurID widget Bill G was
waving around was just a standard SecurID fob.
You guys are obviously correct to note that increased the
rigor of the user authentication mechanism won't preclude attacks on
the underlying Windows infrastructure, but -- by extending SecurID to
the off-line PCs (a la S/key), and installing ACE/Agents (to demand
two-factor authentication) at the domain controllers and terminal
servers -- MS will greatly enhance the grandularity of the IT audit
record. In a marketplace increasingly shaped by HIPAA, Sarbane Oxley,
and world-wide privacy regs, that itself has high value in corporate
IT.
Suerte,
_Vin
next prev parent reply other threads:[~2004-03-01 10:34 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-02-25 15:26 ron minnich
2004-02-25 15:41 ` Derek Fawcus
2004-02-25 16:02 ` ron minnich
2004-02-26 1:15 ` Derek Fawcus
2004-02-26 3:45 ` ron minnich
2004-02-26 4:12 ` Derek Fawcus
2004-02-26 6:48 ` boyd, rounin
2004-02-26 6:41 ` boyd, rounin
2004-02-25 16:26 ` Aharon Robbins
2004-02-26 6:02 ` boyd, rounin
2004-02-26 10:41 ` Douglas A. Gwyn
2004-02-26 11:32 ` Charles Forsyth
2004-02-26 11:33 ` Geoff Collyer
2004-02-26 12:39 ` Dave Lukes
2004-02-26 12:11 ` boyd, rounin
2004-02-26 13:42 ` dbailey27
2004-02-26 14:36 ` ron minnich
2004-02-26 14:41 ` David Presotto
2004-02-26 14:40 ` dbailey27
2004-02-26 14:47 ` ron minnich
2004-02-26 14:44 ` dbailey27
2004-02-26 15:28 ` ron minnich
2004-02-26 15:38 ` George Michaelson
2004-02-26 16:16 ` ron minnich
2004-02-26 17:32 ` [9fans] SPF+SMTP C H Forsyth
2004-03-01 10:34 ` Vin McLellan [this message]
2004-02-26 15:38 ` [9fans] pathetic dbailey27
2004-02-26 14:58 ` andrey mirtchovski
2004-02-26 15:53 ` dbailey27
2004-02-27 9:01 ` boyd, rounin
2004-02-27 10:52 ` Geoff Collyer
2004-02-27 13:07 ` David Presotto
2004-02-27 20:26 ` Lyndon Nerenberg
2004-02-27 22:22 ` Tristan Seligmann
2004-02-27 23:36 ` Geoff Collyer
2004-02-27 13:42 ` Dave Lukes
2004-02-27 15:42 ` a
2004-02-27 17:45 ` 9nut
2004-02-27 23:10 ` boyd, rounin
2004-02-29 21:11 ` boyd, rounin
2004-02-26 15:16 ` C H Forsyth
2004-02-26 15:37 ` Dave Lukes
2004-02-26 17:55 ` jmk
2004-02-26 19:23 ` Richard Miller
2004-02-26 19:35 ` jmk
2004-02-26 19:50 ` Richard Miller
2004-02-27 11:04 ` Dan Moniz
2004-02-26 20:46 ` boyd, rounin
2004-02-26 15:37 ` Derek Fawcus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1f85b7d9.0402271411.f477f42@posting.google.com \
--to=vin@theworld.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).