Controversy: Rejoinder: Independent One-Time Passwords

Security Dynamics In order for Computing Systems to remain a "Quarterly dedicated to the analysis and understanding of advanced computing systems," it is necessary to make the following clarification regarding an article in the V/inter 1996 issue (Volume 9, Number 1). The article in question was entitled "Independent One-Time Passwords," and authored by Aviel D. Rubin of Bellcore. In this article, Rubin compares two dissimilar technologies used to create one-time passwords. One product, which comes from Rubin's own Bellcore, is the S/KEY software authentication system. The other product is the SecurID token from Security Dynamics. Rubin is misleading when he states that "One way to defeat it [SecurID] is to break the secret algorithm to predict the next number that will be displayed" lp. 171. This makes it sound as if simply knowing the algorithm and observing a few displayed numbers allows an attacker to predict the next number. This is not the case; predicting the sequence of numbers for a given token requires knowledge of both the algorithm and the token's unique, 64-bit, seed number, which is contained in protected storage on the token. Attacking the SecurID algorithm without knowledge of the secret seed value seems implausible. The algorithm has been analyzed by several noted cryptana-lysts and they have discovered no such attack. They also estimate that such an attack, if possible, would require observation of a sequence of many thousands, if not millions, of displayed numbers. Given that the typical token only displays one number per minute, no attacker will plausibly have access to such a Large sequence.