[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ArcotSign (was Re: Does security depend on hardware?)
At 06:27 AM 9/21/98 -0400, Adam Shostack wrote:
>On Sun, Sep 20, 1998 at 06:45:06PM +0200, Lucky Green wrote:
>| On Sat, 19 Sep 1998, Ryan Lackey wrote:
>|
>| >
>| > [from a discussion of tamper-resistant hardware for payment systems
>| > on [email protected], a mailing list dedicated to digital bearer systems,
>
>| o ArcotSignTM technology is a breakthrough that offers smart card tamper
>| resistance in software. Arcot is unique in this regard, and WebFort is the
>| only software-only web access control solution on the market that offers
>| smart card security, with software convenience and cost. [We have now
>| entered deep snake oil territory. Claims that software affords tamper
>| resistance comparable to hardware tokens are either based in dishonesty or
>| levels of incompetence in league with "just as secure pseudo-ontime
>| pads"].
>|
>| In summary, based on the technical information provided by Arcot System,
>| the product is a software based authentication system using software based
>| client certificates.
>
> I have no knowledge of Arcot's systems and can't comment on
>them. Hoever, there are ways to make software hard o disassmeble
>and/or tamper with. Given that Arcot is probably going to attack
>smartcards as being easily attacked, 'smartcard level' security is not
>that high a target, the claim may not be so outlandish.
They're not looking to do tamperproof software. Their business model can
be best described as: "better than passwords, cheaper than SecurID."
Here's the basic idea: Strew a million passwords on your hard drive, and
make it impossible to verify which is the correct one offline. So, someone
who steals the password file off the client cannot run a cracking tool
against the file.
> Be intestesting to see how fast the code is. If they're
>embedding certs in complex code that needs to run to sign, then theft
>of the cert may be difficult.
It isn't bad.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com