Re: RSA SecurID SID800 Token vulnerable by design



On 9/8/06, Hadmut Danisch <hadmut@xxxxxxxxxx> wrote:
Hi,

I recently tested an RSA SecurID SID800 Token
http://www.rsasecurity.com/products/securid/datasheets/SID800_DS_0205.pdf


The token is bundled with some windows software designed to make
user's life easier. Interestingly, this software provides a function
which directly copies the current token code into the cut-and-paste
buffer, when the token is plugged in into USB. This is weak by design.

The security of these tokens is based on what RSA calls "two-factor
user authentication": It takes both a secret (PIN) and the
time-dependend Token-Code to authenticate. The security of the
Token-Code depends on the assumption that the token is resistant
against malware or intruders on the computer used for communication
(web browser, VPN client,...).

I didn't play with the SID800 token (just have the SID700 token which
is practically the same, but doesn't have USB capabilities).
I'm not sure how difficult or easy it is to poll the token code off
the device. It would make sense to me that RSA thought of this and
that the communication between the polling application (the RSA
Authenticator Utility) and the token itself is encrypted (for example,
using some public/private encryption). If the RSA Authentication
Utility requires unique identification about the token used (it's
serial number, which is related to its seed) then it would be very
difficult to write another polling application for attack you
described. Impossible not, but difficult and it had to be very
targeted because if the same public/private encryption I mentioned was
used, an attacker would have to extract the public key from the
application in order to decrypt the token.

The easiest way to check what's going on is to use some of the USB
snooping tools which enable you to see what's going on to/from the USB
device - if you still have the token you can try doing this.

This all being said - the token can be used in an offline mode as
well, if the user want's a higher level of security, same as SID700.
There will be no "advanced" features and the user will have to type in
the OTP manually, but at least he can be sure that nothing can
compromise the token.

Cheers,

Bojan



Relevant Pages

  • Re: Security via hardware?
    ... one of the security models is PAIN: ... there is the 3-factor authentication model ... The advantage of unique thumbs or tokens ... ... Your applications running on your PC could utilize the chip in ...
    (alt.computer.security)
  • Re: about SecuriID on mobile devices
    ... tokens were tamper-resistant). ... Did I miss something or does it make the authentication a one factor ... Security pros have been debating the relative security of physical ... device has, physical or virtual, for the SecurID secret it holds, the ...
    (sci.crypt)
  • Re: Getting AD Groups
    ... Since you are using Windows Integrated Security and all the other parts ... forces the authentication. ... reflection to call private members of the framework to get at a Tokens ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RSA Security Sees Hope in Online Fraud
    ... It was a Friday afternoon for the computer encryption folks at RSA ... Security Inc., and summertime greenery filled the countryside view ... Associated Press also uses the tokens for network access. ... every institution that does business on a Web site could ...
    (comp.dcom.telecom)
  • Re: [fw-wiz] Username password VS hardware token plus PIN
    ... > I think the best you can get is SecureID/ACE (used to be AXENT, now RSA?) ... SecurID is unrelated to AXENT's product, ... I converted from the old X9.9/Axent challenge-response tokens after the ... a password-expiration-style PIN change. ...
    (Firewall-Wizards)