Re: RSA SecureID on Solaris

From: Norman Girard (ngirard@qualys.com)
Date: 04/08/02 

From: Norman Girard <ngirard@qualys.com>
To: adam morley <adam@gmi.com>
Date: 08 Apr 2002 14:20:18 +0200

Hi Adam,

On Sat, 2002-04-06 at 20:46, adam morley wrote:
> Is anyone using these to authenticate users on Solaris? Can they be easily integrated into dtlogin, apache, etc.? Perhaps with pam in some way?
There's many RSA agent to authenticate users. You can connect to
ftp.rsasecurity.com/pub/agents in order to retreive some of them.
Patrick Asty (http://persoweb.francenet.fr/~pasty/) has developped a
module for apache available at :
http://www.deny-all.com/mod_securid/
>
> Has anyone looked into how "secure" they are? Can one guess the number on the display, perhaps based on the serial on the back?
There's no relation between the seed and the serial number.
The synchronisation between the RSA ACE Server and the token is made by
an algoritm which takes two parameters in : a seed (64 bits) and the
current time (UCT).
Your tokens are provided with a floppy disk which contains an encrypted
flat file (.asc) you need to import to your ACE Server. The file
contains, for each token, the serial number (you can find on the back of
the token), the seed and few others parameters about the token (6 or 8
digits / 30 s, 1 min or 2 min / etc.).
The algorithm has been broken in December 2000 but you need to have the
seed in order to generate tokencodes. You can find more information
about this algorithm in :
http://www.atstake.com/research/reports/initial_securid_analysis.pdf.
 

>
> For those of you who do run them, have you replaced the password with the securid random + pin number? Or done something else?
In fact it depends of the agent and the type of the token.

About token types, there's two kinds of token :
- Standard Credit Card (SD200) and keyfob (SD600) where Tokencode is
provided by the token and Passcode = Pincode + Tokencode
- SecurID PINPAD (SD520) and Software SecurID where Pincode is given to
the Token in order to generate Passcode

For the type of agents, some of them use securID authentication to
replace the standard authentication method (mainly Web Agents). The
others use first the standard authentication before using the securID
authentication (NetBIOS Shares, Windows login with MSGina, telnetd,
etc.).

Regards,
Norman

>
> thanks,
> adam 

-- 
Norman Girard
Pre-Sales Engineer South of Europe
ngirard@qualys.com
--
Qualys Technologies
10, rue Pergolese
75016 Paris
Tel : +33 (0) 1 44 17 00 60
Fax : +33 (0) 1 44 17 00 63
Mob : +33 (0) 6 20 60 92 20
--

Make Your Network Secure
www.qualys.com

Relevant Pages

  • Re: about SecuriID on mobile devices
    ... tokens were tamper-resistant). ... Did I miss something or does it make the authentication a one factor ... Security pros have been debating the relative security of physical ... device has, physical or virtual, for the SecurID secret it holds, the ...
    (sci.crypt)
  • Re: M$ feature
    ... 128-bit AES-based SecurID, which is even resistant to DPA attacks. ... issued OTP tokens to their staff and customers are now replacing those ... authentication ceremony, even in the presence of malware. ...
    (uk.misc)
  • Re: WSE 2.0 Custom Authentication
    ... you may want to look at the Security Context Token (SCT) that is ... ;)) that relates to WS-SecureConversation. ... Symmetric Key Tokens are used ... > My user authentication method is as follows: ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: electronic-ID and key-generation
    ... basically electronic-ID is authentication. ... chips supposedly are used in tokens to allow verification of the token ... for instance, x9.84 standard for biometrics ...
    (sci.crypt)
  • [Full-disclosure] Re: RSA SecurID SID800 Token vulnerable by design
    ... 2-factor authentication is not a way to protect against malware. ... login once and the browser will take care of rest. ... of the whole process) marked that OTP as used. ... I think these tokens offer excellent means for authentication. ...
    (Full-Disclosure)