RE: RSA SecureID on Solaris

From: Jonathan A. Zdziarski (jonathan@networkdweebs.com)
Date: 04/08/02


From: "Jonathan A. Zdziarski" <jonathan@networkdweebs.com>
To: "'adam morley'" <adam@gmi.com>, <focus-sun@securityfocus.com>
Date: Mon, 8 Apr 2002 10:53:25 -0400

I used SecurID on Solaris a few companies ago. The SecurID server can
emulate a radius server, so with the correct modules you can make it
work with pam, apache, etc. Any type of server that requires repeat
authentication may present a problem, however, as when the token code
changes you have to type it in again. I'm sure there are ways around
this, but we never had any major need to find an answer.

The number on the back is merely a serial number; the encryption seeds
associated with that number are locked in a vault at RSA (and on your
floppy) so unless someone gets hold of one there's zero chance of
someone guessing the code from the serial number. RSA doesn't release
much about their algorithm (at least they didn't when we were using it),
but it appears to be either a one-way hash function or a one-time pad.
Since the tokens expire, I'd lean towards one-time pad unless the
expiration is merely a marketing tool.

When configuring SecurID on our systems for shells, we used password +
securid + pin just to make it more secure. You ought to be fine with
just securid + pin for your everyday security, though if someone was to
launch a focused attack, it's much easier to steal someone's pin than it
is their password, which is why we used both. Dusting the user's
numeric pad on their keyboard or watching them through a camera would
make it fairly easy to get someone's PIN.

Personally, I would not use SecurID again, however, as one of the
biggest problems we had with the tool was the 30 or 60 second delay
between token code changes. If you have an outage or are being hacked
and you need to get into 5 machines real fast, you have to wait a minute
in between each machine. Other token systems such as Cryptocard change
every time you use the code, hence no delay.

The only other comment I have about SecurID is that a fair number of
tokens we received from them were broken out of the box and needed to be
returned. I'd say probably 1 out of 10 or 1 out of 15.



Relevant Pages

  • Re: [fw-wiz] Username password VS hardware token plus PIN
    ... > I think the best you can get is SecureID/ACE (used to be AXENT, now RSA?) ... SecurID is unrelated to AXENT's product, ... I converted from the old X9.9/Axent challenge-response tokens after the ... a password-expiration-style PIN change. ...
    (Firewall-Wizards)
  • RE: OWA Publishing problem for ISA 2006- using SecurID
    ... I am able to successfully test RSA using the RSA SecurID test utility so my ... They are getting this when connecting from an ISA Server labeled page: ... On the ISA server I did test connectivity to the RSA server using their test ...
    (microsoft.public.isa.publishing)
  • RE: SecureID Question
    ... I used to work for RSA Security and built most of their "unsupported" Linux ... OpenSSH or the native Login is used. ... I did some work to integrate SecurID with OpenSSH for a couple of specific ... When I log into my openssh server I then try to ssh to a server from there ...
    (SSH)
  • RE: Setting UP Microsoft OWA
    ... If you check the Default Web Site, under IIS, you'll see that it is ... Since this is protected by the SecurID Watchdog ISAPI ... server, or you'll have lots of angry folks who can't get to their e-mail. ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
    (Security-Basics)
  • RE: OWA Publishing problem for ISA 2006- using SecurID
    ... nodesecret in the registry and then cleared it on the RSA Admin server I ... The reason, from what I can gather, is that SDTEST write the securid file to ... a different location and the nodesecet is just set between the ACE and ISA ... ACE server doesn't think it's supposed to. ...
    (microsoft.public.isa.publishing)