Re: Is it possible to create an open source SecurID-like keyfob?

Fri, 29 Aug 2008 08:52:05 -0700 

On Fri, Aug 29, 2008 at 01:29:15AM -0700, SJS wrote:

begin  quoting David Brown as of Fri, Aug 29, 2008 at 12:04:50AM -0700:

On Thu, Aug 28, 2008 at 11:03:01PM -0700, SJS wrote:
>(Plus, there are now "new" attacks on hashing functions, so the >"hash a secret" technique might not last for too much longer. Whee!) 

The hashes are still secure as long as the attacker doesn't get to
choose the secret.


Well, when you have a counter or a timestamp, you've got a
partially-known plaintext.  I shudder to think about how much
effort it would take to extract a key with such means...


My point is that people haven't yet found weaknesses against the hash
functions as far as finding an input text that produces a given hash.
This still requires brute force.

If your secret is 64-bits, it requires 2^63 tries on average to find
the secret.  Having the small number as part of it doesn't help any.

Otherwise, all you're saying is just FUD.  You can shudder all you
want, but that isn't an attack.  The hash functions are currently
believed to be secure when used in this manner.


The broken hashes aren't useful for signature purposes, since the
attack allows two arbitrarily modified documents to produce the same
signature.


I lost your point at "since".


The attacks that have been discovered against the hash functions are
very specific, in that they allow an attacker to start with a given
plaintext and modify it in two different ways that both end up
producing the same hash.  This effort has been made trivial for MD5,
but not yet for SHA-1.

The other attack, which is against HMAC, but not against commonly used
hash functions, allows arbitrary messages to be authenticated.  This
requires specific and weak hash functions, and still doesn't reveal
the secret.

My point here is that this attack is completely irrelevant to the
keying model we're discussing.  None of the plaintext can be chosen by
the attacker.  The secret is unknown, and the counter is a well-known
integer.  If you try using the wrong counter, the server will reject
it.

A homebuilt fob would have a significant weakness over the RSA fob,
however, since I doubt we would be able to design something capable of
destroying the secret upon tampering.  I still suggest basing it on a
smartcard, where someone else has already solved many of the security
problems.

David


--
KPLUG-List@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list

Reply via email to