Re: Re: Digipass Go3 Token Dumper (at least for 2006)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Digipass Go3 Token Dumper (at least for 2006)
From: fcollyer@xxxxxxxxx
Date: 25 Nov 2006 15:02:00 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Thanks Hugo!

http://www.securityfocus.com/bid/21040 says: "(...)Digipass Go3 is prone to an 
insecure-encryption vulnerability because the device uses an insecure 
single-key encryption algorithm (...)"

That is not the case.
The C++ implementation that I've provided shows exactly the _opposite_!

Its core is 3DES_112(2 64 DES keys used) based.
I believe this was I misunderstanding from the list's guys. Nothing to worry 
seriously about.

I'm glad we have VASCO's clarification. And it seems to me that now the 
community is really free to analyze the truncation/decimalization side of 
Digipass.

Is it secure? Is it the best VASCO could've come with? And the key derivation 
process?...

Best regards,

Felipe Collyer
(a.k.a. faypou)

Prev by Date: Free tool for pattern identification (for researchers)
Next by Date: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
Previous by thread: Re: Digipass Go3 Token Dumper (at least for 2006)
Next by thread: Phpjobscheduler 3.0 - Multiple Remote File Include
Index(es):
- Date
- Thread