Re: RSA SecureID on Solaris

From: Crist J. Clark (crist.clark@attbi.com)
Date: 04/09/02


Date: Mon, 8 Apr 2002 22:55:19 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: "Jonathan A. Zdziarski" <jonathan@networkdweebs.com>

On Mon, Apr 08, 2002 at 10:53:25AM -0400, Jonathan A. Zdziarski wrote:
[snip]

> The number on the back is merely a serial number; the encryption seeds
> associated with that number are locked in a vault at RSA (and on your
> floppy)

And on your ACE server, a computer hooked up to a network. =|

Also consider the "soft tokens." Software you run on a notebook, PDA,
or other portable electronic device. These can be easily copied.

> so unless someone gets hold of one there's zero chance of
> someone guessing the code from the serial number. RSA doesn't release
> much about their algorithm (at least they didn't when we were using it),
> but it appears to be either a one-way hash function or a one-time pad.

It's basically a hash. You seem to know you load short keys (seeds)
onto the server. You don't load big one-time pad files for each
token.

> Since the tokens expire, I'd lean towards one-time pad unless the
> expiration is merely a marketing tool.

Bingo!

But actually expiration dates on any authentication material is a Good
Thing(tm). Cards always slip through the cracks. A user loses a token
without realizing it. There is still only a finite window of
vulnerability. Five years from now a baddie who finds the lost token
can't slip through your legacy authentication mechanism that the
administrators don't pay attention to but is kept running for that one
marketing VP who can't figure out how to use the latest-and-greatest
system everyone else is using.

> When configuring SecurID on our systems for shells, we used password +
> securid + pin just to make it more secure. You ought to be fine with
> just securid + pin for your everyday security, though if someone was to
> launch a focused attack, it's much easier to steal someone's pin than it
> is their password, which is why we used both. Dusting the user's
> numeric pad on their keyboard or watching them through a camera would
> make it fairly easy to get someone's PIN.

It's even easier to just look at the little Post-It Note the user put
on the back of the token with both the password and PIN written on
it. ;)

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org



Relevant Pages

  • Re: [fw-wiz] Username password VS hardware token plus PIN
    ... > I think the best you can get is SecureID/ACE (used to be AXENT, now RSA?) ... SecurID is unrelated to AXENT's product, ... I converted from the old X9.9/Axent challenge-response tokens after the ... a password-expiration-style PIN change. ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Username password VS hardware token plus PIN
    ... The RSA key you use, can you force regular PIN changes al la password policy ... > most USB tokens is almost guaranteed to be written down by dumb users ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Username password VS hardware token plus PIN
    ... Granted, at that point, you have my PIN, but you still don't have my token. ... > confident that XX days later, the password will be different to what ... > burned into most USB tokens is almost guaranteed to be written down by ... If you are not the intended recipient please notify the sender ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Username password VS hardware token plus PIN
    ... > That's why I was never happy with SecureID tokens since the PIN is ... I preferred tokens that require the PIN to unlock the token, ... > but never transmit the PIN. ...
    (Firewall-Wizards)
  • Re: Time to ask again: Is there anything BETTER than eBay?
    ... Just a footnote on the two-factor authentication tokens mentioned ... Rob said that he already has two RSA SecurID tokens that he uses at ... validate the token-code displayed on a particular SecurID at any given ...
    (uk.people.consumers.ebay)