• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

RSA SecureID vs CryptoCard

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
thomasjreige
Just Arrived
Just Arrived


Joined: 29 Sep 2005
Posts: 0


Offline

PostPosted: Thu Sep 29, 2005 12:05 pm    Post subject: RSA SecureID vs CryptoCard Reply with quote

Hi There,
I am currently at a point where i need to make a 2-factor authentication recommendation for a client of mine.

I have extensive experience with RSA SecureID but am wondering about the CryptoCard solution.

Has anyone had any experience with this software. Reason why we are up in arms is due to the price of RSA.

Thanks.

Tom.

Moderator note: Moved from Comments/Problems - capi
Back to top
View user's profile Send private message
rji
Just Arrived
Just Arrived


Joined: 18 Aug 2004
Posts: 0
Location: UK

Offline

PostPosted: Thu Sep 29, 2005 9:27 pm    Post subject: Reply with quote

we don't use rsa anymore, we use securenvoy which is considerably cheaper and better.

Hadn't heard of cryptocard until your post, I will watch post to observe comments.
Back to top
View user's profile Send private message
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Thu Sep 29, 2005 10:00 pm    Post subject: Reply with quote

rji wrote:

we don't use rsa anymore, we use securenvoy which is considerably cheaper and better.


Securenvoy is software-only, isn't it? It's always seemed a bit perverse to me to solve a problem which is caused by insecure software by implementing a hardware solution which is actually software.

To me, software running on a cellphone or pda (given that the architecture of a phone isn't designed for this and doesn't have the functionality embedded in hardware - such as an HSM or TPM - which actually secures this to the next level) is just as potentially insecure as any other software authentication system.

Challenge/response using a hardware device which can't simply be copied, patched, or hacked (a dongle which generates numbers, or to a certain extent a smartcard which necessitates *physical* copying and can't be broken into in the same way that a phone can) seems a whole lot safer. Smile

thomasjreige wrote:

I have extensive experience with RSA SecureID but am wondering about the CryptoCard solution.


Have you seen this (pdf)? Admittedly cryptocard marketing material, but plain facts & figures (as opposed to Get the Speculation) can't be fudged *that* much.. Wink
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
rji
Just Arrived
Just Arrived


Joined: 18 Aug 2004
Posts: 0
Location: UK

Offline

PostPosted: Thu Sep 29, 2005 10:29 pm    Post subject: Reply with quote

njan, your wrong.

securenvoy does not install any software on mobile phones, I believe you are thinking of swivel which is software based
Back to top
View user's profile Send private message
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Thu Sep 29, 2005 10:32 pm    Post subject: Reply with quote

rji wrote:

njan, your wrong.[sic]

securenvoy does not install any software on mobile phones, I believe you are thinking of swivel which is software based


It certainly uses them! Although my apologies, technically, it doesn't look like it has to use any software installed on phones:

securenvoy wrote:

Turn ANY GSM mobile phone into an authentication token by texting one time passcodes No Additional Hardware Token required. No End User Hardware deployment costs.

Innovative approach solves the problems with SMS delays and temporary loss of signal without having to have software installed on mobile phones.

Pre-sending the next required passcode after authentication gives plenty of time for the user to receive the next 6 digit passcode. If the end users mobile phone is temporarily out of range, switched off or the mobile phone provider is busy, the SMS message is stored and re-tried regularly for typically up to 4 days until it is successfully sent to the users phone.


It sends data via the SMS network; arguably insecurer since it's being sent unencrypted on a medium not designed for this, and due to the communications latency, loses the advantage of a challenge/response mechanism (since the 'innovative approach' broadens an intrusion window)!

For the same reasons that a software agent would be bad news, carrying this out using a platform (mobile phones) typically unfettered by security concerns, using software/hardware not designed for security and which is almost certainly trivial to break through in order to capture a user's PIN number just doesn't seem safe either! I'd far rather have a cryptocard or challenge/response mechanism using a hardware dongle protecting my systems! Smile

(Put it this way - using a mobile phone as your authentication mechanism only requires that a single employee set their bluetooth-enabled phone to 'discoverable' to make the whole system fairly trivial to bypass!)
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
rji
Just Arrived
Just Arrived


Joined: 18 Aug 2004
Posts: 0
Location: UK

Offline

PostPosted: Fri Sep 30, 2005 1:39 pm    Post subject: Reply with quote

The SMS messages are encrypted in transit.

Also I am more likely to look after my 300 mobile phone rather than a crappy dongle, plus I have a work mobile any way so if I can do away with the dongle great. One less thing to carry and lose.

Not only that, software in available to secure and encrpyt the contents of the mobile, if anybody attempted to crack the passsword to get into the phone then the device is wiped after a certain amount of failed attempts.
And the passcode is gone.[/quote]
Back to top
View user's profile Send private message
comrade
Just Arrived
Just Arrived


Joined: 15 Feb 2005
Posts: 0


Offline

PostPosted: Fri Sep 30, 2005 3:29 pm    Post subject: Reply with quote

I really want to suggest a OpenPGP card as found here:
http://www.g10code.de/p-card.html

But..while in theory that could solve your problems the software side of things might require some home brewing (while it works fine with gpg and everything that uses that, I'm not sure where one would start if you wanted to use it to log into the system),

Neat things those cards. I want one Smile
Back to top
View user's profile Send private message
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Fri Sep 30, 2005 7:33 pm    Post subject: Reply with quote

rji wrote:

The SMS messages are encrypted in transit.


As I understand it, the SMS messages aren't encrypted, the transport layer between the phone and the GSM gateway is - which means that anyone with access to the network from the GSM gateway onward or anyone who can crack the (generally weak) encryption between handset and gateway has easy access to the PIN.

rji wrote:

Also I am more likely to look after my 300 mobile phone rather than a crappy dongle, plus I have a work mobile any way so if I can do away with the dongle great. One less thing to carry and lose.


Again, as I pointed out, phones are inherently less secure than dongles. I can break into your phone, install malware on it, install a rootkit on it, exploit vulnerabilities in software, the OS, and the communications stacks. Viruses affect phones - but not dongles.

However secure your phone is, it's still a platform designed to be powerful and diverse, and to cater to consumers - it's not a security platform and until mobile phone operators start taking the idea of portable devices seriously (in a way they're starting to with devices such as smartphones) and actually building them with hardware security (a la TPM) and hardening the host OS to a degree they are now, they'll still be just as vulnerable as their larger counterparts (regular PCs).

Solving a problem caused by insecure regular PCs by implementing a second solution on another (smaller, different) Computer is inherently less secure than implementing a second solution on an entirely different device which doesn't have multiple means (touchpad, keypad, data connection, infrared, bluetooth, GSM, GPRS, 3G) to input and output data and which isn't designed to run (C, assembler, java, mobile .NET) applications which hook into the Operating System and cause the phone to be vulnerable to the same problems as PCs.

As phones become closer to PCs and the software becomes more advanced, these problems are only going to increase. Today's mobile phones are eminently more 'hackable' than the motorola bricks of yesteryear, and so on.

rji wrote:

Not only that, software in available to secure and encrpyt the contents of the mobile, if anybody attempted to crack the passsword to get into the phone then the device is wiped after a certain amount of failed attempts.
And the passcode is gone.


Which not only loses the advantage you cited earlier (no software), but also requires the business to have to rely on *five* third party sources of software/hardware/services at least (authentication vendor, phone vendor, phone OS vendor, encryption software vendor, phone provider) instead of one. A system with five vendors is inherently harder to troubleshoot than one with one.

This also relies on the business to implement their own solution, unsupported by the authentication vendor, in order simply to bring the security of their authentication solution up to the standard of the hardware-only vendor's.

Wink
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
rji
Just Arrived
Just Arrived


Joined: 18 Aug 2004
Posts: 0
Location: UK

Offline

PostPosted: Fri Sep 30, 2005 8:11 pm    Post subject: Reply with quote

This debate could go on forever.

SMS Encryption

An sms message is sent through the gsm signalling channel, in order to obtain an sms in transit one would have to crack the gsm encryption protocols.

GSM Encryption Standards

Nearly every GSM operator in the world uses an algorithm called comp128 for both a3 and a8 algorithms. comp128 is the reference algorithm for the tasks pointed out by the gsm consortium. The comp128 is based on 128bit key lengths and like all encryption systems could be cracked given enough computing powe, time and money. Although to date there has been no evidence of gsm algorithms being cracked.

From GSM Association

The GSM association says the approach "requires the attacker to transmit distinctive data over the air to masquerade as a gsm base station". This is illegal in most countries, the association says, so anyone attempting an attack on a significant scale would expect to be traced and caught.



Lastly, most serious enterprise companies/employees rely heavily on mobile phones to conduct business activities, so these devices are gonna be protected from unauthorised access, encrypted etc. So using this device for two factor authentication makes sense.
Back to top
View user's profile Send private message
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Fri Sep 30, 2005 8:36 pm    Post subject: Reply with quote

rji wrote:

This debate could go on forever.


If neither party listened to the other and kept spouting stuff, sure; I like to think that I listen and accomodate; if you do the same, the conversation will resolve quite quickly (this is actually quite Platonic. Razz)

rji wrote:

(Stuff about SMS Encryption being strong)


According to this wikipedia article about GSM, GSM uses "The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy". The article about A5/2 has the following to say about the security of it: "In 1999, Ian Goldberg and David Wagner cryptanalyzed A5/2 in the same month it was published, and showed that it was extremely weak so much so that low end equipment can probably break it in real time.".

Mobile phone encryption has been broken before (anyone remember Squidgygate? A young chap from Oxfordshire who lived just down the road from me at the time recorded a member of the Royal Family's mobile phone conversations), and mobile phone systems are probably first in line for security overhaul - I think I'm right in saying that online transactions use far stronger algorithms, and even these (such as the older variants of SSL) are quite potentially breakable.

Again, you've also ignored my point about the encryption being at the transport layer - once you're higher in the infrastructure than the cells, this becomes irrelevant as I'm fairly sure that SMS messages are routed unencrypted through portions of the carrier's network.

rji wrote:

Lastly, most serious enterprise companies/employees rely heavily on mobile phones to conduct business activities, so these devices are gonna be protected from unauthorised access, encrypted etc. So using this device for two factor authentication makes sense.


This is a logical fallacy which is known critically as the 'argumentum ad populum', or bandwagon fallacy. Put simply, this logical fallacy refers to any situation where someone argues a point where "something is 'proven' by stating that many or all people believe it, or acceptable because many people do it. If everybody believes so, it is so." (taken, as ever, from wikipedia).

By that same logic, 75% of wireless networks are unencrypted, and wireless networks are relied on heavily - that must mean that no WEP is secure! Great, I'll turn it off on my router and disable the VPN server; I never liked the performance loss, anyway. (This is another logical fallacy referred to as an Appeal to emotion. Luckily I already presented my case logically, so this just serves to rhetorically back it up. Razz).

More seriously, mobile phones are heavily used, you're right; but most mobile phones aren't secured adequately by businesses - this applies to laptops (and has done, in the military even, for quite some time), and even more to mobile phones, which are a (comparatively) more poorly understood and more recently deployed aspect of many businesses IT setups.

Mobile phones are difficult to securely manage - they're virtually impossible to manage configuration of, they're very hard to securely store data on, and they were never designed (and the technology underpinning them was never designed) to do many of the things that they do. SMS was never anticipated to even take off to the degree it has, let alone be used for authentication.

By contrast, hardware dongles (to get back to my point) were designed from the ground up to be securely used for this, and vastly surpass mobile phones in this respect.

This is before you even start to consider that the normal security concerns underpinning mobile phones (such as the fact that bluetooth and IR make it very easy for a would-be intruder to steal your employees' contacts, data, send SMS messages as them, or access their sent SMSs) are far, far surpassed by the fact that modern mobile phones are basically small computers - rootkits, keyloggers, viruses, malware and the like are very real threats for these, particularly since on a mobile phone (which is hard to use for advanced functionality to start with), no-one wants to start resorting to similar security measures as larger computers (passwords, etc).

How long is it before we're going to need dual-factor signon for our mobile phones? And how will you implement dual-factor signon for your dual-factor signon device? Where does the nightmare end? Razz

As an example illustrating my point, Orange have recently stopped mandating code signing on smartphone handsets on their network (since it's a pain for users to install unsigned code). The effect that this has is that I can (if you have a newer handset without code signing setup, or if you've disabled it) stick an SD card in your orange smartphone and install any software I want on your phone in just a few seconds when you're in the toilet, phone left on your desk (or on the train table, or in a cafe... etc etc) - software which hooks into the audio system and rebroadcasts your calls over the wifi card, software which records your keystrokes and input, software which records your SMS traffic - anything is possible. Tell me how, exactly, you'd accomplish anything similar with an RSA SecurID (or a cryptocard - I don't care about vendors, it's a fault with the theory) without resorting to simply recording me punching my PIN into the unit or just stealing the damn thing?

I never said that mobile phones had no validity for this - I think they're an extremely convenient method of dual-factor sign on (since they're so ubiquitous), and I think that using SMS for this is quite ingenious - but I don't think it's secure. I'd love to use my mobile phone for a setup like this, but I'd never, ever deploy it myself.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
rji
Just Arrived
Just Arrived


Joined: 18 Aug 2004
Posts: 0
Location: UK

Offline

PostPosted: Fri Sep 30, 2005 8:59 pm    Post subject: Reply with quote

I've believe the only way to learned is by finding 2 sides to a story, the pros and cons etc. I'll research and ask questions from various trusted sources and form an opinon from the information gathered.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register