If you look at the logic of the RSA offline mode, you'll see though appropriate for some schenairos it's not appropriate for the FDE environment.
The most obvious is simply there's not enough keyspace - I think I worked out once that if you cached 30 days of sessions, that was about all the keyspace the device had. Thus, you'd be certain of being able to guess the key. In case it's not obvious, that means that if you wanted users to be able to login for two weeks offline, you'd need to cache 50% of the available keys.. Time based tokens rely on you having a fixed number of guessing attempts, enforced by some tamper proof system (a remote ACE server), they don't stand up well to the situation where the key you're trying to obtain is stored without tamper proofing on the system under attack. A shame, beause as you say it would be good if it could be done. The only thing that comes close is X9.9 tokens, but they are clumsy for users and unpopular. It is indeed possible to do as Cooper suggests, but it's not good from a security point of view, not good at all. S. On Jul 30, 12:09 pm, "Coopers Hawk" <[EMAIL PROTECTED]> wrote: > I'm disappointed that no products in this space support the RSA tokens at > preboot. It would be a huge win for any vendor and if someone spent a few > minutes thinking about it I don't think it would be that *difficult* to > implement. Stop thinking about making a preboot network connection ... that > is a overly complex way to look at it. Consider the way RSA does it with a > disconnected Windows logon ... just work with RSA to extend that to an > always disconnected preboot environment (that syncs up future codes once > connected inside Windows). At this point it seems like all the vendors have > relationships with RSA already so that shouldn't hold things up ... I say > let the race begin. I'll buy the first product that can do it well ;). > > Cooper > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of SafeBoot Simon > Sent: Friday, July 27, 2007 10:24 AM > To: [EMAIL PROTECTED] > Subject: Re: [FDE] Best FDE-Product > > No, it's not linux based - we found Linux simply got too big when you > > added all the stuff we needed. No, we don't load network drivers > > (though we could) simply because we don't need them and to do so woud > > open up exploits. Also, what drivers would you load anyway? There are > > hundreds of different network cards.. Remember - we're trying to be > > small and fast.. > > As for the dynamic RSA tokens - you probably realise they only work if > > you have a network connection to an ACE server, so again, no. We > > support things like the SID800 though which work stand alone. > > Imagine how hard it would be to support a user with a RSA C/R token > > working in a hotel over a VPN. We'd need a network stack, card > > drivers, probably a WIFI stack, VPN, web browser (to allow them to > > sign into the hotel wifi network) plus the ACE software - might as > > well just let them load windows and use SafeBoot Content Encryption > > instead. > > On Jul 27, 1:40 am, Zac Folini <[EMAIL PROTECTED]> wrote: > > > > Let's start with performance though - most FDE products use > > > > propriatary 16bit pre-boot OS's, SafeBoot uses a multi threaded 32bit > > > > OS, so naturally it's faster, > > > Is Safeboot pre-boot OS based on Linux or BSD? If so, does it load network > drivers? Can Safeboot use RSA dynamic token for authentication? > > ____________________________________________________________________________________ > > > Shape Yahoo! in your own image. Join our Network Research Panel > > today!http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 > > > _______________________________________________ > > > FDE mailing list > > > [EMAIL PROTECTED]://www.xml-dev.com/mailman/listinfo/fde > > _______________________________________________ > > FDE mailing list > > [EMAIL PROTECTED] > > http://www.xml-dev.com/mailman/listinfo/fde > > > > _______________________________________________ > FDE mailing list > [EMAIL PROTECTED]://www.xml-dev.com/mailman/listinfo/fde- Hide quoted text - > > - Show quoted text - _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
