Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Hardware/software secureIDs - pros and cons.

from [Sam Rakowski] Network Security [Permanent Link]
Subject: Re: Hardware/software secureIDs - pros and cons.
Date: Fri, 29 Jun 2007 12:18:37 -0400 
I think hardware is better because there are many precautions you can
take to stop hardware from being reverse-engineered, but with software
it's just compiled code, right? Wouldn't it be easier to find the seed
out?

On 6/29/07, Carl-Johan Bostorp <carl-johan.bostorp@hps.se> wrote: 
> What are the pros and cons for using hardware RSA SecureID/Other and
> software with the same characteristics?

Main argument for using hardware: Security. There's no feasible way for
an attacker to get the seed value. If it's software, then compromised
machine => compromised seed value => attacker can login whenever he/she
choose to.

A con would be that the token can be forgotten or lost, whereas if it's
software then depending on where you have it (PC, cell phone) you'll
always have it available. If the device with the software crashes, you
can always just install it elsewhere and enter the seed value again.

I also believe the price favors the use of software.

Another option to discuss is whether it's perceived as easier by the
end-user with a physical token or a software installation. This might
depend on where the software is installed. If it's a browser toolbar and
you're logging on to a web site, then I guess that's pretty nice. But if
it's installed on a cell phone or PDA, a physical token would probably
be perceived as easier since the numbers are readily available without
any extra steps.

Greets,
CJ

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------




--
-
/dev/null
We are the Pentium of Borg. Division is futile. You will be approximated.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Google Developer's kit ?, AdamT
Next by Date:  Re: Hardware/software secureIDs - pros and cons., AdityaK
Previous by Thread:  Re: Hardware/software secureIDs - pros and cons., Carl-Johan Bostorp
Next by Thread:  RE: Hardware/software secureIDs - pros and cons., Levenglick, Jeff
Indexes:  [Date] [Thread] [Top] [All Lists]