[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ArcotSign (was Re: Does security depend on hardware?)

To: Adam Shostack <[email protected]>, Lucky Green <[email protected]>, Ryan Lackey <[email protected]>
Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
From: Bruce Schneier <[email protected]>
Date: Mon, 21 Sep 1998 05:26:40 -0500
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
In-Reply-To: <[email protected]>
Posted-Date: Mon, 21 Sep 1998 05:30:04 -0500 (CDT)
References: <Pine.BSF.3.96.980920181732.10980B-100000@pakastelohi.cypherpunks.to><[email protected]><Pine.BSF.3.96.980920181732.10980B-100000@pakastelohi.cypherpunks.to>
Sender: [email protected]


At 06:27 AM 9/21/98 -0400, Adam Shostack wrote:
>On Sun, Sep 20, 1998 at 06:45:06PM +0200, Lucky Green wrote:
>| On Sat, 19 Sep 1998, Ryan Lackey wrote:
>| 
>| > 
>| > [from a discussion of tamper-resistant hardware for payment systems
>| > on [email protected], a mailing list dedicated to digital bearer systems,
>
>| o ArcotSignTM technology is a breakthrough that offers smart card tamper
>| resistance in software. Arcot is unique in this regard, and WebFort is the
>| only software-only web access control solution on the market that offers
>| smart card security, with software convenience and cost. [We have now
>| entered deep snake oil territory. Claims that software affords tamper
>| resistance comparable to hardware tokens are either based in dishonesty or 
>| levels of incompetence in league with "just as secure pseudo-ontime
>| pads"].
>| 
>| In summary, based on the technical information provided by Arcot System,
>| the product is a software based authentication system using software based
>| client certificates.
>
>	I have no knowledge of Arcot's systems and can't comment on
>them.  Hoever, there are ways to make software hard o disassmeble
>and/or tamper with.  Given that Arcot is probably going to attack
>smartcards as being easily attacked, 'smartcard level' security is not 
>that high a target, the claim may not be so outlandish.

They're not looking to do tamperproof software.  Their business model can
be best described as: "better than passwords, cheaper than SecurID."

Here's the basic idea:  Strew a million passwords on your hard drive, and
make it impossible to verify which is the correct one offline.  So, someone
who steals the password file off the client cannot run a cracking tool
against the file.

>	Be intestesting to see how fast the code is.  If they're
>embedding certs in complex code that needs to run to sign, then theft
>of the cert may be difficult.

It isn't bad.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Follow-Ups:
- RE: ArcotSign (was Re: Does security depend on hardware?)
  - From: "Todd S. Glassey" <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: bram <[email protected]>

References:
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Lucky Green <[email protected]>
- ArcotSign (was Re: Does security depend on hardware?)
  - From: Ryan Lackey <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Adam Shostack <[email protected]>

Prev by Date: Re: ArcotSign (was Re: Does security depend on hardware?)
Next by Date: No Subject
Prev by thread: Re: ArcotSign (was Re: Does security depend on hardware?)
Next by thread: RE: ArcotSign (was Re: Does security depend on hardware?)
Index(es):
- Date
- Thread