[1136] in linux-security and linux-alert archive
[linux-security] SecurID White Paper
daemon@ATHENA.MIT.EDU (Peiter Z)
Wed Sep 4 07:53:00 1996
Date: Wed, 4 Sep 1996 11:38:21 -0600 (MDT)
From: Peiter Z <peiterz@secnet.com>
To: linux-security@tarsier.cv.nrao.edu
SecurID Vulnerabilities White-Paper
Due to increased recent interest that has been witnessed on the net
about the SecurID token cards and potential vulnerabilities with their
use, we offer a white paper on some of the vulnerabilities that we believe
have been witnessed and/or speculated upon.
This paper is being put forth into the public domain by Secure Networks
Incorporated and is available at the following URL :
ftp://ftp.secnet.com/pub/papers/securid.ps
Topics dealt with in the paper include:
. Race attacks based upon fixed length responses (still valid even with
the current patch)
. Denial of Service attacks based upon server patches
. Server - Slave separation and replay attacks
. Vulnerabilities in the communications with the ACE Server
. A quick analysis of the communications with the ACE Server
. Problems with out-of-band authentication
We hope this paper provides insight, enlightenment, and is helpful
to the security community in general.
thanks and enjoy,
Secure Networks Inc.