Is Barclay's Pinsentry part of RSA SecureID - and compromised?
Tony Naggs
tony.naggs at googlemail.com
Sun Mar 27 23:31:42 BST 2011
No, RSA SecurID is a quite different technology.
An RSA SecurID token is physically a standalone object, about 2" * 1"
* 1.2", with LCD showing a 6 digit number that changes every minute.
Each token has a unique serial number, and maybe secret customer
identification number for each company that uses the system, that are
the base deriving the displayed number. (Details are not published by
RSA.) The token serial number is registered for user with the
company, and then the remote user identifies herself with both a
password or PIN (something she knows) and the currently displayed
number (something they have). Hence is the basis of so called two
factor authentication.
Speculation about RSA SecurID being broken is guessing that some
secret design aspects of the system have been stolen, or maybe a list
of companies using SecurID & the embedded per company secret seed
numbers. Even if true a bad person would still have to have some very
specific information for it to be of use: a user's account, their
normal password and/or PIN, and the serial number of the SecurID
token.
Regards,
Tony
On 27 March 2011 11:11, Mary Hawking <maryhawking at tigers.demon.co.uk> wrote:
> http://www.theregister.co.uk/2011/03/24/rsa_securid_news_blackout/
>
> Is the Barclays pinsentry an example of RSA SecureID?
> AFAIAA NHS smartcards are not - unless there is something in Gem
> Authenticate (installed on the PC) - using this technology.
>
> Mary Hawking
>
More information about the ukcrypto
mailing list