Sigh... I really don't want to turn this nice quiet list (that I've been a member of for many years) into a bunch of vendor arguments. It's rude, and in this case it's almost 100% off-topic. But Vin McLellan has made some misleading statements (unintentionally, I'm sure), and because this stuff hangs around forever and is searchable, I need to correct it. Sorry...
> Tony Harminc <[EMAIL PROTECTED]>, an articulate applications > developer for Vasco Data Security International (VDSI), > offered a list of questions for prospective OTP token buyers. I'm glad I come across as articulate, but clearly I'm not articulate enough. I *thought* my post made clear that I work for Proginet Corporation - not Vasco. I have never worked or consulted for Vasco, I have no inside knowledge whatever of their company, and I most certainly do not speak for them. On a good day I speak for myself, but that's usually as far as it goes, and that is why I post here under a personal id rather than my employer's. On those rare occasions when I speak for my employer, I make it clear. > Some were reasonable, but all were predictably biased against > RSA's portfolio of SecurID devices. This is simply absurd. > In Mr. Harminc's list of buyers' concerns, the SecurID's > unique capabilities -- the 60-second OTP, viable for only a > minute or two -- were cast in negative terms, just because > only RSA can provide or support this patented functionality. May I gently suggest that re-reading my actual post, rather than some phantom one, is in order... I said nothing at all about SecuriD's "unique capabilities", let alone cast them in negative terms. I have no idea what magic patented functionality only RSA can provide, but it seems to me that the very essence of a time-based token is to provide a One Time Password (OTP) that is valid only for a short time. Certainly the time-based tokens from other vendors I have seen work this way, and presumably if this was a violation of some RSA patent, RSA would be quick to take appropriate action. > RSA is fair game, and Mr. Harminc was fair enough, I suppose, > for a competitive evangelist Oh please! I said clearly in my post that our software supports RSA tokens, as well as those from Vasco and several other vendors. A little Googling will turn up not only the names of a dozen or so token vendors, but also competitive analyses for many of them. I am not in the business - personally or professionally - of badmouthing other companies' products, particularly when those products don't compete with those of my employer! -- but Harminc's comments bring > to mind Ben Franklin's famous caution that people in glass > houses shouldn't throw stones. No glass house here (except the one where the CPUs live). And no stones. > Mr. Harminc's list of questions for prospective RSA customers > also did not include one that IT pros might consider > critical: "Which OTP hardware token is the most secure, the > most robust, the most resistant, against all known attacks?" I have not evaluated any makes of tokens for these properties, nor am I an expert in the field. I will leave it to "competitive evangelists" to point out the outstanding merits of their particular tokens, and disparage those of others. However it is certainly true that the token properties listed above by Mr. McLellan are not the only or even the most important ones, or even critical in all situations. Clearly every installation needs to have a threat model, and understand the business and technical tradeoffs involved in addressing it. An excellent reference to the often complex failures and interactions of security systems is Ross Anderson's magnificent survey _Security Engineering_. http://www.cl.cam.ac.uk/~rja14/book.html As Anderson says, "...most security systems don't fail because the protection mechanisms were weak, but because they weren't used right." > Not all tokens are equal. Doubtless. As I said, there are competitive analyses out there that are easy to find, and that address many of the questions a prospective token customer may have. Let me again suggest that an understanding of a potential vendor's business model, as well as its technology, can be very helpful in making a decision. This is true of just about any product or service. > The Vaso Digipass tokens that Mr. Harminc touts Ouch! > are sold with > a projected life-span of somewhere between three and seven > years. Last summer, however, Vasco CEO T. Kendall Hunt told > a gathering of security analysts in New York that Vasco has > recently discovered that many European banks have decided, > instead, to *annually* replace the Vasco Digipass tokens they > routinely issue to their business and retail banking > customers. See Mr. Hunt's comments in CRN at: > <http://tinyurl.com/cospv>. I had never heard of Mr. Hunt, but I went and read the article. In it, Mr. Hunt says that "most banking organizations using Digipass tokens refresh the products about every 12 months for improved security". This seems unremarkable, despite Mr. McLellan's attempt to make it sound like some dark secret. Organizations that deal with Real Money will have a threat model quite different from those using tokens to protect other kinds of assets, particularly when the user base in question is essentially untrained in security awareness. > Mr. Hunt offered no explanation for the radical changes in > the risk models by which these European financial service > firms are now managing their deployment and replacement > policies for Vasco's OTP tokens. My FUD-o-meter is twitching. No one appears to have asked Mr. Hunt to comment on this, nor is there anything in the article on changes in the risk models, radical or otherwise. > Conincidentally, this month the European Commission expects > to receive the final report from a major study of > Side-Channel Analysis (SCA) and related attacks on physical > implementations of crypto on microchips. > Two years ago, the EC commissioned nine teams of prominent IT > researchers -- based at corporate and academic IT research > centers across Europe -- to explore the threat that SCA > attacks, including DPA and associated threats, posed to > cryptographic devices, in particular "smart cards and related > micro-chip systems." (See: > <http://tinyurl.com/7zfaa>.) > > The EC's SCA research project was also tasked to investigate > ways in which the risk of SCA attacks might be blocked, > avoided, or mitigated by innovative SCA-resistant designs > (SCARD) for chip circuits, or changes in enterprise "best > practice" policies. > > Personally, I suspect that -- as the reportedly dismal > results of the EC's SCA study become more widely known -- the > Euro banks' new annual replacement policy for Vasco's tokens > may only be the first of the costly adjustments that > financial services, and other critical infrastructure > industries, may be forced to accept, in order to manage and > mitigate operational risks. Dang! The needle on the FUD-o-meter is completely bent now. And it hasn't even hit its rated 3-year lifespan. I ended the last post with "RSA makes quality tokens and software, and using their products will certainly provide a big security improvement over simple passwords. But you should also evaluate alternatives and look at the pricing models and overall architecture very carefully." I stand by that, and will appreciate not being misquoted. > As I've been repeating for damn near 20 years, old curmudgeon than I > am: Not all tokens are equal. > > Surete, > _Vin > > ------------------------------------------------------------ > Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]> > 22 Beacon St., Chelsea, MA 02150-2672 USA Tony Harminc Proginet Corporation - Toronto Lab http://www.proginet.com
