Re: RSA secureID
From: Vin McLellan (vin_at_theworld.com)
Date: 02/28/04
- Next message: Lucas Galfaso: "Re: unknown attr1.3.6.1.4.1.311.17.1 error"
- Previous message: D. Sami: "Accessing the Registry Hive of Another User"
- In reply to: Rhett Gong [MSFT]: "RE: RSA secureID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 Feb 2004 00:13:12 -0800
Henghuei queried the newsgroup:
> > I have a secureID token. How can I configure my Windows
> > 2000 to be able to use the secureID token?
The SecurID is simply a personal authentication token. To use it,
you also need RSA's ACE/SecurID infrastructure, which consists of an
authentication engine, what RSA calls its ACE/Server, and one of
several ACE/Agents, which are code modules which stand guard in front
of various network resources to intercept connection attempts and
demand two-factor authentication: the user's memorized PIN, and the
6-8 digit tokencode that is currently being displayed on the
token-holder's SecurID.
Rhett Gong of MS referred you to RSA's ACE/Agent for Windows 2000 and
the ISA support docs for installing ACE/SecurID, but that's only the
beginning of your implementation options. RSA, over the past 15 years,
has established partnerships with over 200 vendors, which have
integrated ACE/Agent code in hundreds of commercial products and had
them certified as "SecurID Ready" out of the box. The open source
community has also actively integrated ACE/SecurID support in a
significant array of devices and services. See the RSA partner
directory at: <http://tinyurl.com/2r8ys>.
> >2. Cryptography-wise, is there any document describing how secureID work with Windows?
Microsoft has licensed the full array of RSA cryptosystems -- the RSA
public-key cryptosystem, RC4, RC5, and RC6, among them -- and uses
them internally and in various products, but there is little in the
way of cryptographic dependence between ACE/SecurID and the MS Windows
infrastructure. Even the recently announced "SecurID for Windows"
product, which has drawn so much attention, will only make SecurID a
native authentication option for WinXP, Win2K, and the Windows 2003
servers. It will also extend the SecurID's AAA functionality to
off-line PCs (with a cache of encrypted token-codes, a la S/Key) and
-- with ACE/Agents -- extend two-factor authentication to cover
Windows domain controllers and terminal servers.
Yet, even with all these new extensions for SecurID in the Windows
world, ACE/SecurID will only complement Windows' internal mechanisms
for promulgating authorization and privilege. Essentially, RSA's
token-based authentication will only replace the traditional use of
memorized passwords in Windows with two-factor authentication. In all
other ways, these SecurID implementations will remain dependant upon
Microsoft's security mechanisms for Windows, which have their own
cryptographic expression throughout the MS product line.
The core of the SecurID technology has always been a simple
cryptographic transformation that hashes "Current Time" and a
token-specific "seed" to generate the series of "one-time passwords"
(6-8 digit token-codes) that are continuously displayed in the LCD of
every SecurID, changing every 60 seconds.
There are now, I think, eight different SecurID form-factors, from
the classic SecurID cards and key fobs, through an array of software
modules which can be installed in Palm and Pocket PC devices, various
cellular telephones, even desktop PCs. These options imply,
obviously, an array of implementation-specific security concerns that
have to be considered when choosing a two-factor authentication
option, but the crypto involved is almost incidental to that
risk/benefit analysis.
Although the ACE/SecurID crypto has been quietly tweaked several
times over the years to make it more resistant to various types of new
attacks on the token, the ACE client/server protocol, or the
authentication engine that supports it, the SecurID hash --
proprietary and unpublished until 2000 -- remained largely unchanged
for 15 years. (I always called it the Grand Dame of commercial
crypto.) Finally, a little over a year ago, RSA switched over to a
standard AES hash in the token, and upgraded the shared secret from
64-bits to 128-bits.
The ACE client/server protocol uses RC5 to encrypt the authentication
exchange between the ACE/Agent and the ACE/Server, but many ACE
installations today just use RADIUS to proxy the incoming
authentication calls from the Agent to the ACE/Server. The essential
security of the SecurID rests, as it always has, in the 128-bit
"shared secret" that is embedded in the tokens by RSA before they are
sealed and shipped.
(When RSA ships tokens to a customer site, it also ships an
encrypted and signed record of the seeds that are embedded in the
SecurIDs which that site has purchased. That record is loaded into
the ACE/Server so that it will register the tokens as valid and accept
the assignment of those SecurIDs to individual users.)
Henghuei also asked:
> > [...] if I want to create something similar to secureID, how can I do that?
Something similar is not hard. There are numerous alternatives --
some commercial products, some not -- that use challenge/response
mechanisms to supplant memorized passwords with two-factor
authentication. The particular time-synch mechanism that RSA uses to
keep the clock in each SecurID synchronized with the ACE/Server is,
however, patented and -- where such legal devices are honored -- that
will remain exclusive to RSA for at least another year or so. Even
when RSA's patents expire, supplanting the SecurID in the 14,000
enterprises where it is currently used will be a worthy capitalist
challenge -- although potential competitors, both commercial and open
source, are already honing their rhetoric, and jockeying for
alliances, to meet that challenge;-)
So welcome to the industry, Heng! The more the merrier, so far as
I'm concerned. The need for strong authentication, and the potential
for market expansion, are both almost boundless. Even in the prime
commercial market, it is estimated that only 18 million of the 285
million Windows desktops are today protected by any form of two-factor
authentication. RSA -- which has about 12 million SecurIDs in
circulation -- only protects about five percent of those desktops with
its token-based authentication. (Browser-based RSA crypto is used in
damn near all of them, of course, but that's another tale;-) In
tokens, there's lots of room for competitors, big and little. I expect
that RSA -- for which I have been a consultant for many years -- will
adapt to an era of more free-wheeling competition among the token
vendors quite handily.
I guarantee that the fray will be fun to watch!
I beg the indulgence of the newsgroup for the length of my
comments. Corrections, questions, or criticism are always welcome.
Suerte,
_Vin
- Next message: Lucas Galfaso: "Re: unknown attr1.3.6.1.4.1.311.17.1 error"
- Previous message: D. Sami: "Accessing the Registry Hive of Another User"
- In reply to: Rhett Gong [MSFT]: "RE: RSA secureID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
