[16326] in bugtraq
Re: swc / ActivCard
daemon@ATHENA.MIT.EDU (John Fulmer)
Mon Aug 21 16:24:04 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39A1588B.77EF04C5@level3.com>
Date: Mon, 21 Aug 2000 10:27:55 -0600
Reply-To: John.Fulmer@LEVEL3.COM
From: John Fulmer <John.Fulmer@LEVEL3.COM>
X-To: aland@STRIKER.OTTAWA.ON.CA
To: BUGTRAQ@SECURITYFOCUS.COM
Alan DeKok wrote:
>
> The ActivCard product uses the industry standard X9.9
> challenge-response algorithm.[1]
Some ActivCard tokens implement a standard X9.9 mode, but most ActivCard
tokens use a proprietary, time and event based modification to the X9.9
algorithm to generate their one time passwords in a synchronous mode.
An overview of what ActivCard does may be found in a white paper at
http://www.activcard.com/activ/services/library/synchronous_authentication.pdf
The time element may be what is introducing the perceived 'limited
randomness' of the token.
> So far as I recall, X9.9 does NOT define a method for calculating a
> series of one-time passwords. It assumes that the challenge is
> a random number. (i.e. generated via a cryptographically strong
> method.)
No, but it is fairly common to do an event synchronous mode with an
'X9.9' token. Heck, Cryptocard does that.
jf
