From mboxrd@z Thu Jan 1 00:00:00 1970 To: 9fans@cse.psu.edu From: Vin McLellan Message-ID: <1f85b7d9.0402271411.f477f42@posting.google.com> Content-Type: text/plain; charset=ISO-8859-1 References: , <20040227013823.0c2ba797@garlic> Subject: Re: [9fans] pathetic Date: Mon, 1 Mar 2004 10:34:44 +0000 Content-Transfer-Encoding: quoted-printable Topicbox-Message-UUID: 069745a6-eacd-11e9-9e20-41e7f4b1d025 Ron Minnich asked: >What I want to know is, what was Mr. Bill holding in his hand?=20 http://www.cnn.com/2004/TECH/biztech/02/25/microsoft.rsa.ap/index.html >It sure got the journalists excited -- that picture was everywhere. The AP photo slug described it an "encrypted tag" -- whatever that is -- but Ron said "it looked like a USB dongle." George Michaelson reported: .> Its SecureID re-worked into a smaller format from what I read=20 .> elsewhere. Close but not quite accurate. It's the classic RSA SecurID key fob, the same size as its been for the past six or seven years. Maybe like many things -- markets, competitors, nations -- SecurIDs look smaller when they are lie in the palm of Bill G;-) RSA's SecurID, for those who don't know, is a hand-held authentication token that uses the AES cipher to hash "Current Time," and a 128-bit secret, to generate (and continuously display in a small LCD) a series of 6-8 digit pseudo-random tokencodes that flip over every 60 seconds. (One-time passwords like this are typically used as evidence of "something held," and are paired with a user-memorized PIN or password, "something known," for two-factor authentication -- the classical definition of "strong authentication.") The key fob has been the most popular form-factor for the SecurID for years, but many people -- including perhaps the AP photo editor -- still picture the SecurID as the credit card-size device that was its most common "form-factor" through the late 1980s and early 1990s. Today, however, there are 7 or 8 different SecurID form-factors, including the SecurID card and key fob, but also including software modules that can be downloaded for Palm Pilots, Pocket PCs, Blackberries, Nokia and Sony/Ericsson mobile phones, as well as desktop PCs (where the physical security justifies the added risk.) There is a whole spectrum of greater and lesser security associated with the implementations in these various form factors, obviously, but market demand continues to push SecurID functionality into devices the user already carries, and the SecurID's trustworthiness ultimately boils down to RSA's cryptographic grip on the 128-bit seed, the AES-protected shared secret. I'll be surprised if RSA, for which I am a consultant, doesn't finally deliver, in '04, the SecurID wristwatch that SecurID inventor Ken Weiss was talking about in '87. Guessing that the SecurID is shrinking was smart, George -- but the SecurID widget Bill G was waving around was just a standard SecurID fob. You guys are obviously correct to note that increased the rigor of the user authentication mechanism won't preclude attacks on the underlying Windows infrastructure, but -- by extending SecurID to the off-line PCs (a la S/key), and installing ACE/Agents (to demand two-factor authentication) at the domain controllers and terminal servers -- MS will greatly enhance the grandularity of the IT audit record. In a marketplace increasingly shaped by HIPAA, Sarbane Oxley, and world-wide privacy regs, that itself has high value in corporate IT. Suerte, _Vin