[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ArcotSign (was Re: Does security depend on hardware?)




At 06:27 AM 9/21/98 -0400, Adam Shostack wrote:
>On Sun, Sep 20, 1998 at 06:45:06PM +0200, Lucky Green wrote:
>| On Sat, 19 Sep 1998, Ryan Lackey wrote:
>| 
>| > 
>| > [from a discussion of tamper-resistant hardware for payment systems
>| > on [email protected], a mailing list dedicated to digital bearer systems,
>
>| o ArcotSignTM technology is a breakthrough that offers smart card tamper
>| resistance in software. Arcot is unique in this regard, and WebFort is the
>| only software-only web access control solution on the market that offers
>| smart card security, with software convenience and cost. [We have now
>| entered deep snake oil territory. Claims that software affords tamper
>| resistance comparable to hardware tokens are either based in dishonesty or 
>| levels of incompetence in league with "just as secure pseudo-ontime
>| pads"].
>| 
>| In summary, based on the technical information provided by Arcot System,
>| the product is a software based authentication system using software based
>| client certificates.
>
>	I have no knowledge of Arcot's systems and can't comment on
>them.  Hoever, there are ways to make software hard o disassmeble
>and/or tamper with.  Given that Arcot is probably going to attack
>smartcards as being easily attacked, 'smartcard level' security is not 
>that high a target, the claim may not be so outlandish.

They're not looking to do tamperproof software.  Their business model can
be best described as: "better than passwords, cheaper than SecurID."

Here's the basic idea:  Strew a million passwords on your hard drive, and
make it impossible to verify which is the correct one offline.  So, someone
who steals the password file off the client cannot run a cracking tool
against the file.

>	Be intestesting to see how fast the code is.  If they're
>embedding certs in complex code that needs to run to sign, then theft
>of the cert may be difficult.

It isn't bad.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com