David Brown wrote:
On Thu, Aug 28, 2008 at 03:32:56PM -0700, Andrew Lentvorski wrote:
Is it possible to create an open source SecurID-like keyfob? Building
the hardware should be *painfully* cheap. I'm staring at a full 8051
with flash from TI for under $10. It even does USB.
The RSA keyfobs presumably have two things:
1) Unknown time-based algorithm for generating the factor
The algorithm has been reverse engineered, and is fairly well
understood. If you implemented the same algorithm even the same
software would likely work. There would probably be legal issues if
you tried to sell such a device.
You might try searching the net. I believe there is a project to
create an open token.
Security-by-obscurity is always bad, but I'll presume that RSA has a
good algorithm somewhere. I presume that we could find some good
algorithm that's already vetted by the security community.
It's proprietary, but now documented. There is a 64-bit secret within
each key. The secret must be given to the host software so it can
verify the key sequence.
And that's the part I don't like.
Basically, if you manage to compromise the server, you can fake the
keyfob since the secret is now compromised.
Is there a way to do like public key crypto and have a public key on the
server and a private key in the fob that can both generate either a
matching function or verify that the token is correct when presented.
This sounds possible, but I don't have enough knowledge of the crypto
algorithms nowadays.
An interesting question is: why doesn't the SecurID keyfob do this? It
seems like a vastly more secure procedure and you wouldn't have to
recall all the keyfobs. You could just generate new public keys.
-a
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
