Monday, October 15, 2007

2factor's RPM: is it secure?

Network World just published a list of "10 IT Security Companies to watch".
The first company 2Factor claims to improve security by provinding a "secure applet" that continuously generates new keys for each transaction. The hypothesis is that "This session of the browser is completely controlled by the SecureWeb® software, eliminating the threat of hacking attacks". The assumption is probably that a new applet will avoid vulnerabilities in the browser and hence will be secure. However, this applet is only as secure as the hardware and OS it is running on. How does this scheme protect against rootkit based Trojans? How difficult is it to "hijack" the icon that it creates? ["Online customers perform a one-time download of a small file that places a bank-branded icon on their computer desktop. "] and replace it with a Trojan that invokes the applet in a sandbox and has access to all its state? How is the process of downloading this applet secured? Until I have answers to these question, I would be wary of this technology.
This technology may be useful for improving performance compared to SSL-PKI if it has a equally good way(or better) of generating keys which is faster. However, since crypto-accelerator hardware is so mature these days I doubt if the "performance story" alone would make this startup fly. Maybe the founders felt the same and that is why they cooked up the "security story" I criticized above. 2factor also claims "the advent of quantum computers will render current technology useless, RPM's underdetermined system of equations is PROVABLY secure". I don't think quantum computers are arriving anytime soon, but I would love to know if RPM has been evaluated by cryptographers against the claim of being provably secure.
2factor does have an "easier story" and that might indeed be a valuable advantage.



Add to Technorati Favorites
Add to Technorati Favorites
Add to Technorati Favorites