Re: About the authenticator
- From: cryptoguy <treifamily@xxxxxxxxx>
- Date: Thu, 4 Feb 2010 16:52:39 -0800 (PST)
On Feb 4, 4:59 pm, chocolatemalt <m...@xxxxxxxxxxxxxx> wrote:
cryptoguy <treifam...@xxxxxxxxx> wrote:
This is actually an area where I am expert. I used to work on SecurID
authenticators from RSA Security. SecurID is the industry leader in
two factor authentication products. I actually wrote many of the
The Blizzard authenticator is from VASCO, a smaller company with an
(imho) less sophisticated, but cheaper, product.
The main point I'd like to make is that the serial number you type in
when registering the authenticator is not related to the key that is
actually used to generate the passcode. The key is a long random
number, stored inside the authenticator. At the time the authenticator
is manufactured, the random key is assigned, as is the serial number.
The serial number is stamped on the outside; the key is stored in the
device's memory. Knowing just one, you can't derive the other.
The serial numbers and their associated keys are also stored in the
authentication server used by Blizzard. When you register the
authenticator, you send your account name and the serial number of the
authenticator. This is stored, and used to look up the key needed to
derive your passcode. If the passcode sent in matches the one
expected, your are authenticated.
Even if the algorithm became known, it wouldn't help an attacker much,
since he/she would still have to figure out your key. (Look up
'Kerchoff's Principle") The key is long enough that a brute force
search is impractical.
I assume there's a way to read that key off the authenticator itself?
I can't speak for Vasco products, but no, it would serve no purpose to
have such a backdoor.
Or does the circuitry only allow a write and is engineered to
self-destruct (or just erase data) if electronic access is attempted?
I'm restricted in what I can discuss, but there are a lot of defenses
against various types of attack.
Of course no one is going to do that for a WoW account, but for bigger
targets like political or enterprise espionage, a PC-based keylogger
that intercepts the username and passcode along with a hardware reader
to grab the key off the authenticator, would be enough to create a copy
of the authenticator and the entire access mechanism.
The passcode is a use-once deal, so that doesn't help. There is no way
to get the key off of tokens I am familiar with without very expensive
effort, destroying the token. This isn't something that can be done
without the owner noticing, The owner would then call the security
office, and get a new token, revoking the old one.
High security systems use not only the number displayed, but a
memorized secret PIN. Stealing the token doesn't get you the PIN. Look
up 'Two Factor Authentication". Enter more than a small number of
wrong values, and logins with that token are disabled.
- Re: About the authenticator
- From: nuts
- Re: About the authenticator
- Prev by Date: Re: About the authenticator
- Next by Date: Re: More idjit tanks....
- Previous by thread: Re: About the authenticator
- Next by thread: Re: About the authenticator