1996-08-10 - Re: F2 hash?

Header Data

From: Adam Shostack <adam@homeport.org>
To: vin@shore.net (Vin McLellan)
Message Hash: 3baa1766db02326275d594666c1820336bc07995da8a9e21c2a67c28b9be93bb
Message ID: <199608101729.MAA25805@homeport.org>
Reply To: <v02130503ae313d72ccb8@[206.243.160.206]>
UTC Datetime: 1996-08-10 18:18:23 UTC
Raw Date: Sun, 11 Aug 1996 02:18:23 +0800

Raw message

From: Adam Shostack <adam@homeport.org>
Date: Sun, 11 Aug 1996 02:18:23 +0800
To: vin@shore.net (Vin McLellan)
Subject: Re: F2 hash?
In-Reply-To: <v02130503ae313d72ccb8@[206.243.160.206]>
Message-ID: <199608101729.MAA25805@homeport.org>
MIME-Version: 1.0
Content-Type: text


Vin McLellan wrote:

|         John and I took Mudge out for dinner right after that speech. He
| told us then that he had inadvertently misspoken when he blamed his
| temporary silence on SDTI's lawyers. The real problem, he said, was with
| bullying lawyers from two corporate clients he is now under contract to in
| his day job.

|         Mudge is deeply involved in analyzing the ACE client/server code
| for weakness; he too is also very interested in the F2 algorithm -- which
| he felt involves too much knowable information as input to the hash -- and,
| of course (like Shimomura, the self-styled Threat of the West,) Mudge is
| stolidly pounding away at the SecurID itself to retrieve and cryptoanalyze
| the algorithm that hashes Current Time and the token's secret key to
| generate a SecurID token-code.

|         All the recent effort to bust the decade-old SecurID algorithm and
| the ACE network protocol seem a little anachronistic, of course.  I suppose
| it's kind of a grand salute to an old security warhorse (and SecurIDs are
| still the first line of defense in most Fortune 500 companies.)  There has
| been no formal announcement, but -- as J=FCri suggested -- I think most of
| the ACE/SecurID user community expects that both the network protocol and
| the token's internal algorithm will be upgraded sometime in the very near
| future.  (On a timeline SDTI established several years ago.)  And any new
| ACE protocol will inevitably establish a stateful session for the
| authentication exchange -- which will make the current generation of race
| attacks historical novelties.

	I'm not sure I buy this claim.  The problem of syncronising
multiple geographically seperate servers is tough.  Its actually
easier with challenge-response tokens, since you can simply have
servers issue different challenges when they lose contact.  (Mudge has
a clever similar hack for the current version of securids.)

|         SDTI Engineering (and most likely RSA Labs) have probably been
| banging away at the new design for a long time.  RSA was deeply involved
| with SDTI long before their recent merger;  RSA helped develop the F2 hash
| that is used in the ACE client/server security protocol.  (It's this F2
| hash that "Anonymous" is begging some Cypherpunk to steal,
| reverse-engineer, and publish for everyone to play with.  Bad, bad,
| commercial crypto!  Wouldn't want anyone to make money off strong
| cryptography, would we??)

	No, I (possibly unlike anonymous) want lots of people to make
shitloads of money of strong crypto.  I intend to do so.  But strong
crypto is published crypto, not trade secrets.  SDTI should be in the
business of selling the best code and most sturdy cards to work with
their protocols, which should be publically open to review.  I can't
confirm my attacks without knowing F2*, and without knowing if the
attacks work, I'm reluctant to publish.  So, I think I'll publish
based on what SDTI has published, which may or may not be correct.  (I
have told Mark Warner and Chris McNeil (?) of SDTI about the attacks,
and will discuss their responses.

	*I'm not the one who asked for F2 to be published.  I have
told many people about my attacks, and its concievable that someone
else found the same things.


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume






Thread