| To: | <eladexposed@gmail.com>, <pen-test@securityfocus.com> |
|---|---|
| Subject: | Re: Hardware/software secureIDs - pros and cons. |
| From: | "Carl-Johan Bostorp" <carl-johan.bostorp@hps.se> |
| Date: | Fri, 29 Jun 2007 09:37:44 +0200 |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | pentest-list2@consult.net |
| Delivered-to: | mailing list pen-test@securityfocus.com |
| Delivered-to: | moderator for pen-test@securityfocus.com |
| List-help: | <mailto:pen-test-help@securityfocus.com> |
| List-id: | <pen-test.list-id.securityfocus.com> |
| List-post: | <mailto:pen-test@securityfocus.com> |
| List-subscribe: | <mailto:pen-test-subscribe@securityfocus.com> |
| List-unsubscribe: | <mailto:pen-test-unsubscribe@securityfocus.com> |
| Mailing-list: | contact pen-test-help@securityfocus.com; run by ezmlm |
| References: | <20070628132640.17426.qmail@securityfocus.com> |
| Resent-date: | Fri, 29 Jun 2007 09:15:15 -0600 (MDT) |
| Resent-from: | pen-test-return-1078484505@securityfocus.com |
| Resent-message-id: | <20070629151515.CC5501437D5@outgoing2.securityfocus.com> |
| Resent-sender: | listbounce@securityfocus.com |
| Sender: | listbounce@securityfocus.com |
| Thread-index: | Ace5yLXxmX8oGFnZQ/2x/o1WyM10kwAVU6Tw |
| Thread-topic: | Re: Hardware/software secureIDs - pros and cons. |
> What are the pros and cons for using hardware RSA SecureID/Other and > software with the same characteristics? Main argument for using hardware: Security. There's no feasible way for an attacker to get the seed value. If it's software, then compromised machine => compromised seed value => attacker can login whenever he/she choose to. A con would be that the token can be forgotten or lost, whereas if it's software then depending on where you have it (PC, cell phone) you'll always have it available. If the device with the software crashes, you can always just install it elsewhere and enter the seed value again. I also believe the price favors the use of software. Another option to discuss is whether it's perceived as easier by the end-user with a physical token or a software installation. This might depend on where the software is installed. If it's a browser toolbar and you're logging on to a web site, then I guess that's pretty nice. But if it's installed on a cell phone or PDA, a physical token would probably be perceived as easier since the numbers are readily available without any extra steps. Greets, CJ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------ |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: Hardware/software secureIDs - pros and cons., AdityaK |
|---|---|
| Next by Date: | RE: Hardware/software secureIDs - pros and cons., Levenglick, Jeff |
| Previous by Thread: | Re: Hardware/software secureIDs - pros and cons., AdityaK |
| Next by Thread: | Re: Hardware/software secureIDs - pros and cons., Sam Rakowski |
| Indexes: | [Date] [Thread] [Top] [All Lists] |