Re: Hardware/software secureIDs - pros and cons.

From: Sam Rakowski (masterakowski@gmail.com)
Date: Fri Jun 29 2007 - 12:18:37 EDT

• Next message: AdityaK: "Re: Hardware/software secureIDs - pros and cons."
• Previous message: AdamT: "Re: Google Developer's kit ?"
• In reply to: Carl-Johan Bostorp: "Re: Hardware/software secureIDs - pros and cons."
• Next in thread: Levenglick, Jeff: "RE: Hardware/software secureIDs - pros and cons."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I think hardware is better because there are many precautions you can
take to stop hardware from being reverse-engineered, but with software
it's just compiled code, right? Wouldn't it be easier to find the seed
out?

On 6/29/07, Carl-Johan Bostorp <carl-johan.bostorp@hps.se> wrote:
> > What are the pros and cons for using hardware RSA SecureID/Other and
> > software with the same characteristics?
>
> Main argument for using hardware: Security. There's no feasible way for
> an attacker to get the seed value. If it's software, then compromised
> machine => compromised seed value => attacker can login whenever he/she
> choose to.
>
> A con would be that the token can be forgotten or lost, whereas if it's
> software then depending on where you have it (PC, cell phone) you'll
> always have it available. If the device with the software crashes, you
> can always just install it elsewhere and enter the seed value again.
>
> I also believe the price favors the use of software.
>
> Another option to discuss is whether it's perceived as easier by the
> end-user with a physical token or a software installation. This might
> depend on where the software is installed. If it's a browser toolbar and
> you're logging on to a web site, then I guess that's pretty nice. But if
> it's installed on a cell phone or PDA, a physical token would probably
> be perceived as easier since the numbers are readily available without
> any extra steps.
>
> Greets,
> CJ
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Swap Out your SPI or Watchfire app sec solution for
> Cenzic's robust, accurate risk assessment and management
> solution FREE - limited Time Offer
>
> http://www.cenzic.com/wf-spi
> ------------------------------------------------------------------------
>
>

-- 
-
/dev/null
We are the Pentium of Borg. Division is futile. You will be approximated.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer
http://www.cenzic.com/wf-spi
------------------------------------------------------------------------

• Next message: AdityaK: "Re: Hardware/software secureIDs - pros and cons."
• Previous message: AdamT: "Re: Google Developer's kit ?"
• In reply to: Carl-Johan Bostorp: "Re: Hardware/software secureIDs - pros and cons."
• Next in thread: Levenglick, Jeff: "RE: Hardware/software secureIDs - pros and cons."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:55 EDT