++ed by:
John Pliam

NAME

Crypt::SecurID - Generate and verify SecurID time hash codes

SYNOPSIS

  use Crypt::SecurID;

  # create a token object tied to a 64-bit hex string key
  $token = Crypt::SecurID->new(hexkey => "0123456789abcdef"); 
  # equivalently
  $token = Crypt::SecurID->new; 
  $token->setKey("0123456789abcdef") || die $token->error;

  # create a token object tied to key in import file w/ serial number
  $token = Crypt::SecurID->new(file => $file, serial => $serial); 
  # equivalently
  $token = Crypt::SecurID->new; $token->importToken($file, $serial);

  # print a hash code value
  print $token->code(time);
  # equivalently
  print $token->codeNow;

  # verify a hash code value, print drift
  die "Code invalid" unless $token->validate($code, $days_tolerance);
  printf("Code ok, drift = %d minutes\n", $token->drift);

  # export a token to a file
  unless ($token->exportToken($file, $serial)) { die $token->error; }

DESCRIPTION

Crypt::SecurID is an emulator module for generating and verifying SecurID time-hash codes. Such codes are often useful during identity authentication, especially when the code is generated out-of-band so that the 64-bit secret key is never on any client machine.

Considerable speculation about the weakness of the hash algorithm has been put forth. AFAIK, it is still an open problem to determine how many distinct codes are necessary to recover the secret key.

OTOH, for one-sided authentication models (like SSL), even a weak time hash based on a shared secret may provide a desirable extra layer of security.

This module is provided for purposes of discussion and/or prototyping. If you need a real ACE server, buy one.

AUTHORS

John Pliam <pliam@cpan.org> -- C++ wrappers, Perl module.

I. C. Wiener <icwiener@mailru.com>? -- C code.

SEE ALSO

Mudge, Kingpin, "Initial Cryptanalysis of the RSA SecurID Algorithm", Jan 2001.

http://www.ima.umn.edu/~pliam/lepgen/ The home page for the Low-Entropy Password Generator (LEP-Gen), an open source hardware token for Linux palmtops, which includes a SecurID mode.

BUGS

This has never been tested against a working card or ACE server, to which I have no access. Furthermore, I tried, but not too hard, to reverse engineer the file format for importToken and exportToken methods from Wiener's code. At this stage, I have no idea how close I got to the real thing.




Hosting generously
sponsored by Bytemark