bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: Digipass Go3 Token Dumper (at least for 2006)

from [fcollyer] [Permanent Link][Original]
To: bugtraq@securityfocus.com
Subject: Re: Re: Digipass Go3 Token Dumper (at least for 2006)
From: fcollyer@gmail.com
Date: 25 Nov 2006 15:02:00 -0000
Delivered-to: sp-com-lists@consult.net
Delivered-to: bugtraq-list@securepoint.com
Delivered-to: mailing list bugtraq@securityfocus.com
Delivered-to: moderator for bugtraq@securityfocus.com
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@securityfocus.com; run by ezmlm 
Thanks Hugo!

http://www.securityfocus.com/bid/21040 says: "(...)Digipass Go3 is prone to an 
insecure-encryption vulnerability because the device uses an insecure 
single-key encryption algorithm (...)"

That is not the case.
The C++ implementation that I've provided shows exactly the _opposite_!

Its core is 3DES_112(2 64 DES keys used) based.
I believe this was I misunderstanding from the list's guys. Nothing to worry 
seriously about.

I'm glad we have VASCO's clarification. And it seems to me that now the 
community is really free to analyze the truncation/decimalization side of 
Digipass.

Is it secure? Is it the best VASCO could've come with? And the key derivation 
process?...

Best regards,

Felipe Collyer
(a.k.a. faypou)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Free tool for pattern identification (for researchers), Gary Golomb
Next by Date:  Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Previous by Thread:  Re: Digipass Go3 Token Dumper (at least for 2006), Hugo van der Kooij
Next by Thread:  ZDI-06-038: Citrix MetaFrame IMA Management Module Remote Heap Overflow, zdi-disclosures
Indexes:  [Date] [Thread] [Top] [All Lists]