SecurID compromise and programmable OTP tokens

As some will know, it’s been reported today that RSA SecurID have been compromised in undisclosed ways. I don’t use them as I prefer the open-standard Feitian tokens via Gooze, but even then if Feitian or Gooze were compromised, the Bad Guys would know which tokens I had. (Even if they did not know what systems they were each for – I believe that to avoid this, Gooze at least destroy the keys after sending them to you)

I think Cryptocard provide the ability to reprogram tokens, but I do not have any myself and I believe it’s a commercial rather than open-standards system.

So, does anyone know of a source of reprogrammable open standard security tokens so that I am the only one that knows the secret keys? If not, anyone fancy designing and selling some?

9 comments

    1. It’s useful, although lack of PAM support in some software I use is an issue. (Mostly VPNs) I’d prefer the TOTP version so I can use the same key on multiple systems but I’m in the same situation as you – I’m using the c100.

      A way of allowing someone a public key to authenticate you without needing to give them a private key that can be used to generate passwords too would be handy. That’s a limitation of the standard though, not the hardware.

    1. You mean software-wise or service-wise? You’d have to give the provider your secret key to do it, which means you could only use that token for OpenID.

      (I should get my OpenID working on this blog really, rather than via LJ… never had the time!)

    1. Battle.net do this for World of Warcraft and the like – largely because hard-to-get items can get nicked and sold for real-world money otherwise if your account is compromised.

      But that’s just one service, not many.

  1. We are playing with Yubikeys which (once you strip away the server component) completely transparent in operation, easy to reprogram and enter their OTPs by emulating a USB keyboard. The OTP scheme is a little bit simple (no clock onboard, just a counter) but it’s better than a static password and they’re quite cheap.

      1. Ah, so my preferred solution (crypto-stick.org) is also no use. (I’m currently trying to patch GPG to use their full 4096-bit capacity rather than the current limit of 3072 bits, which is only because of a silly line-length limit in an IPC protocol…)

        Perhaps ask Daniel Silverstone, he of entropykey.co.uk. He seemed receptive to a vaguely similar idea for new hardware recently.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.