It was July 2000 and one could imagine the product manager’s frustration when he learned the news. A hacker, going by the handle “Kingpin,” had found a vulnerability in the iKey® 1000*. Furthermore, @Stake, a company associated with Kingpin was planning to go public with this information by publishing a security advisory. The iKey® 1000 was poised to be a great success, and the last thing the Rainbow Technologies ** product manager needed was to have his information security device branded as “insecure.”
Fortunately, there was time to act. @Stake had given Rainbow a grace period, just enough time to admit that @Stake had found something significant and to promise Rainbow’s customers that some necessary changes would be coming. So, when @Stake released the advisory, describing the attack in sufficient detail for hackers to reproduce it, they also expressed admiration for Rainbow’s professionalism and responsiveness.
This was a consolation for Rainbow Technologies. Of course, they would have looked better, if @Stake had not found the vulnerability.
The iKey® 1000 was designed to store passwords and private keys for authentication purposes, thus providing a means for 2 factor authentication. The first factor (something you have) was the iKey® 1000, and the second factor (something you know) was a user password. To access the passwords and private keys stored in the device, the user would provide the user password, and the iKey® 1000 would then provide access to the private keys or other passwords stored within it. There was also a master password that could be used to access all of the iKey® 1000’s stored secrets.
* iKey® is a registered trademark of Safenet.
** In 2004, SafeNet merged with Rainbow Technologies.
To be continued in “Controlling Your Interfaces (Part 2)”