RE: SecureID in place of passphrase
From: Chris Macneill (temp_at_eguesswork.co.uk)
To: "'John Brightwell'" <email@example.com>, <firstname.lastname@example.org> Date: Thu, 29 May 2003 19:36:03 +0100
The private key is generally encrypted using the passphrase; therefore the
passphrase needs to be a static entity. A SecurID PASSCODE is dynamic,
changing in some multiple of 30 seconds, usually every 60 seconds, so on
first inspection it would appear difficult to use SecurID to protect the
However, there is a method whereby protection of the private key by SecurID
could be implemented. If the front end for the access to the private key
were replaced with custom code that initially uses SecurID authentication,
the ACE/Server could be made to pass back the private key from its database.
Communications to/from ACE/Server are over a secure protocol. There are at
least three ways this integration could be achieved:-
1. The simplest method is to store the private key in the ACE/Server
database as an unencrypted string. However, anyone with administrator access
to the ACE/Server database could potentially recover the private keys. Not
good! This option is fairly easy to implement, but not very secure. The time
required for development would probably be in the order of 2 to 3 man weeks.
2. A more secure method would be to store all private keys encrypted with a
single common passphrase, only known to someone with access to the source
code. However, anyone with administrator access to ACE/Server could retrieve
the keys and perform a brute force attack. This option is fairly easy to
implement and more secure than option 1. The time required for development
would probably be in the order of 2 to 3 man weeks.
3. Alternatively the private key could be encrypted using the user's SecurID
PIN. This is more secure, but would require a custom method for PIN change
as the user's private key would need to be re-encrypted each time the PIN
was changed. This option is very secure, but would require considerable
development effort to achieve. The time required for development would
probably be in the order of 3 to 8 man weeks, depending on the interface
method required for changing PINs.
Another issue to consider is if you are trying to allow a user to access
multiple systems whilst only authenticating with SecurID once, you would
have to cache the decrypted passphrase for some period of time and it would
thus be open to attack. A better approach may be to require SecurID
authenticated access to a gateway system and then use Kerberos to
authenticate users between the gateway and target systems.
I used to work for RSA Security and have over 12 years experience of
integrating SecurID authentication with many third party products and have
some 3 years experience of integrating SecurID with OpenSSH.
The development times quoted are a rough estimate for a developer with good
knowledge of ACE/Agent Authentication and ACE/Server Database APIs,
knowledge of OpenSSH and general principles of encryption.
The development times quoted assume only one flavour of UNIX is involved for
both SSH Client System and ACE/Server, development on MS Windows or multiple
flavours of UNIX would probably increase development times.
From: John Brightwell [mailto:email@example.com]
Sent: 29 May 2003 14:35
Subject: SecureID in place of passphrase
Do you know whether it's possible to use SecureID to
gain access to the private key, in place of a
It may seem like an odd request - I realise that the
authentication to the server can be by SecureID
instead of via private key (and that would be a more
secure solution ... probably)
I would like our admins to be able to swap between
machines transparently (using ssh-agent) but I want to
be absolutely sure that it is they who originally
unlock the key ... so I'd like to use two factor
authentication rather than a passphrase to access the
key that is used by ssh-agent.
If I authenticate to the server(s) using SecureID then
they have to use it every time they move to a new
I suppose that I can require that the machine that
they use as a client requires SecureID for
authentication, which isn't quite as good .... but if
you know how to authenticate access to the key with
SecureID that'll be great.
Yahoo! Plus - For a better Internet experience
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 19/05/2003