SecurID

The SecurID is a security system from RSA Security for authentication, ie to verify the identity of users ( " Authentication Manager "). For this purpose, an authenticator is used, a hardware, " Token " called.

The authentication is a two-factor authentication is to be ensured by the high safety: The user must have a password to know ( " something you know" ) and in possession of his tokens be ( " something you have ") to be the computer network service etc. to be able to identify them. The token generates a new number every minute, which is predictable only by the server.

Various access solutions such as VPN servers, firewalls or OpenSSH offer the opportunity to use SecurID.

• 3.1 vulnerability to man-in -the -middle attacks
• 3.2 token code method
• 3.3 hacker attack on RSA server
• 3.4 hacker attack on Lockheed Martin possibly using stolen Seeds

Token

The key token, available as a keychain with the dimensions 5.5 cm × 2.7 cm max. or in credit card format, shows a changing every 60 seconds 6 - to 8 digit number (One- Time Password, OTP). This OTP is generated in the key token and the product of an AES algorithm, which is composed of a time index and a secret key (length: 128 bits) is calculated of each key token. The key is generated in the manufacture of the token with a true random number generator and embedded in it. He is known only to the Authentication Manager, no one else The 6 - to 8- digit number, the " SecurID code ," according to a normal application ( identification with name, password, key card, etc.) will be requested at a terminal and then with the generated code in the server for that particular user according to the same criteria compared. If the codes match, the access and access is granted. Newer versions also allow the safe storage of certificates on a smart card functionality via USB.

Time synchronization with the server

The system time of the server is typically controlled NTP and therefore differs from typically only in the range of milliseconds from the UTC. Since the quartz watches have a certain error in the course of the years in the hardware token, the server stores a time offset per token for each successful authentication.

Life

The key token 've ever needed a different term of one to five years and must be replaced afterwards. The device then switches itself off at a specified time, the date is engraved on the back.

Construction

The battery is designed for the entire lifetime of the key token. The token itself can not be opened without being physically destroyed thereby. Inside it is a clocked to about 1 megahertz microprocessor is connected to a ROM chip and a clock module. Basically, the SecurID system itself contains no encryption because it is mostly intended for authentication operations. Exception is the model SID800 that has a built-in smart chip with a USB port, but not something like a USB stick can be used for storing data.

Areas of application

The SecurID system offers a very high level of protection compared to conventional, such as purely password-based authentication systems, as the code to be entered to change every 60 seconds, previously entered codes are invalid, no key token same SecurID code produced as another and the codes rarely repeat. Moreover, the system can be used flexibly, both fixed access terminals (eg at entrance doors ) as well as of computers ( for example, for the registration) from. Accordingly, organizations want the system there, where high security is required.

Because of the increased risk in online banking and multi -function devices now available that are equipped with a signature function to protect business transactions efficiently.

Price

The price of a key token is about 40 U.S. dollars, the price of the server software in a few thousand dollars ( depending on the license size, maturity of the token, etc.).

Software token

A software token is an electronic authentication system, which can completely replace a hardware token. These use the same algorithms and assume instead of the key token providing the SecurID code on computers and mobile devices. They are suitable for users who want to carry any special hardware. The program generates the necessary to log in to a protected with RSA SecureID IT infrastructure OTPs. Since software tokens are not physically be protected, these potential attacks are exposed. However, they offer many advantages. Thus, the owner must bear no physical property with them, it can be dispensed with batteries and accumulators and the selling price of the software is more favorable than that for the hardware.

Criticism

Vulnerability to man-in -the -middle attacks

One-time password tokens are generally vulnerable to a man-in -the -middle attack. However, these attacks are costly to create. The tokens will continue to be always kept and worn that they can be read, for example, with a good pair of binoculars by other. Wearing the token on a lanyard should be forbidden by the security policy.

Token code method

Since February 2003, the method for calculating the token codes is standardized: The Key tokens are shipped with 128 bit key length AES algorithm.

Hardware complexity and security of 128- bit AES algorithm are suboptimal compared to other methods. In the present application to stream - cipher method would be better suited and can provide cheaper tokens for the same security.

The previously -used technique that was still working with SDI algorithm and 64 -bit key length, was even more explicit criticism: Critics expressed concern that the algorithm has not been published to generate the token by the manufacturer RSA. The exact specifications were only governments and large companies available who had previously signed a confidentiality agreement ( non-disclosure agreement ). The standard was therefore not freely available and could not be independently verified.

Hacker attack on servers of RSA

When became known in March 2011 hacker attack on servers of RSA data could have been stolen (seeds and serial numbers ) which can be calculated any OTP. Because of the attack about 40 million SecurID tokens are exchanged worldwide.

Hacker attack on Lockheed Martin possibly using stolen Seeds

In May 2011, the arms manufacturer Lockheed Martin server were hacked. Various sources speak of a connection with the supposed theft of Seeds in RSA. If the reports are true, Lockheed Martin would be the first known victim of the compromise of the security of the SecureID system. The Lockheed Martin Corporation is involved among other things, the production of the stealth fighter jet Lockheed Martin F -35.