Is Barclay's Pinsentry part of RSA SecureID - and compromised?
Ian Batten
igb at batten.eu.org
Mon Mar 28 21:27:41 BST 2011
On 28 Mar 2011, at 13:22, John Lamb wrote:
>
> If an attacker had all the seeds issued to an organisation, then
> they could
> identify your token by capturing the current number on your SecurID
> at a known
> time and comparing it to a generated list of the numbers all the
> issued tokens
> would have been displaying at that time.
Well, for a large organisation they might need two values to narrow it
right down. SecureID allows for some clock drift because the tokens
aren't hugely accurate. One value might only narrow things down to
about one in one thousand (there will be some tokens displaying the
same value, and the clocks are also drifting). Two values gets you
about one in a million.
ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20110328/e3b4c6dc/attachment.htm>
More information about the ukcrypto
mailing list