(no subject)

[theweaselking]

RSA SecurID tokens cracked - with access to the device for 13 minutes, they can yank out the private key.

Comments

[singingnettle.livejournal.com]

Crap.

[nsanity-au.livejournal.com]

Well if you're still with RSA after the hack last year, you kinda should seriously take up notice on this one.

[jerril]

I will be VERY interested to see how Blizzard handles this. Although they're more using tokens to avoid keylogger attacks than any sort of real physical security.

[ben-raccoon.livejournal.com]

It's unlikely they'll do anything, as the one that Blizzard uses works differently. It's just a time-sensitive generated number code, not a communications cypher.

[kafziel.livejournal.com]

The method by which that code is generated might be kind of important, and probably is similarly vulnerable.

[me-not-you.livejournal.com]

If they get *physical* access to the token generator, they have compromised it because at that point all they need to do is write down the serial # on the back of it and they have the key.

The code generation code is well known for the authenticator that is used by blizzard. Given a devices serial # and a reasonably accurate idea of what time it is, generate a key to hand to the server to prove whom you are.

The whole point of the blizzard authenticator is to require a physical object, in this case the authenticator, to prove whom you are. Nothing more, nothing less. The RSA device serves a completely different purpose.

The real problem is that given physical access to a security device, you are not *guaranteed* of it's security anymore.

[luminalflux.livejournal.com]

Simple: They don't use RSA.

Blizzard's authenticator is from Vasco.