From: Riya on
Folks,

Just wanted to know more about RSA secureid (the one that keeps on
generating a password key every minute which needs to be used while
authenticating my user id).

I have the following questions regarding this...

1. What all the security features achieved by this card(other than
proving that it is me who bought this card)?
2. I believe this card must be generating the password key based on the
current GMT time and my Registration number, using some kind of
messge-digest algorithm or something like that. But wouldn't it be
possible for a dedicated hacker to hack this circuit and reveal the
algorithm that is being used to generate these password keys. Using
which, he can generate the numbers for other secureid registration
numbers as well.
3. This is a general question : The algorithms mentioned above ,
private keys for public/private cryptology, etc need to be stored
somewhere in the concerned company's database. And there would be
someone/many having direct access to this. So how do they manage to
avoid leaking of this critical confidential info? (the employee, having
access to these data, may accidently reveal them to the outside world,
right?)

Thanks,
Riya.

From: clem on
On 3 Jul 2005 06:01:48 -0700, "Riya" <riya.pcch(a)rediffmail.com> wrote:

>Folks,
>
>Just wanted to know more about RSA secureid (the one that keeps on
>generating a password key every minute which needs to be used while
>authenticating my user id).
>
>I have the following questions regarding this...
>
>1. What all the security features achieved by this card(other than
>proving that it is me who bought this card)?

The security model is "what you have and what you know".

You have the SecureID FOB that generates a 6 digit hash based on
strict chronology and the serial number of that FOB.

And you have to enter a PIN number which only you know along with your
ID which is in the clear.

If you enter a bad combination more than a few times the account will
lock.


>2. I believe this card must be generating the password key based on the
>current GMT time and my Registration number, using some kind of
>messge-digest algorithm or something like that. But wouldn't it be
>possible for a dedicated hacker to hack this circuit and reveal the
>algorithm that is being used to generate these password keys. Using
>which, he can generate the numbers for other secureid registration
>numbers as well.

There is said to be a way to do this by gathering the different values
displayed and if enough displays are capture this will help predict
the following numbers.

I believe a web cam or scanner is used and then the display is OCR'd
to get the numeric value. And you have to get a LOT of pictures, if I
understood the article correctly.

But that is only for the FOB you have and not other FOB's.

Remember, if you enter incorrectly aproximately three times before a
successful entry, or the FOB is reported stolen, you're hosed.

>3. This is a general question : The algorithms mentioned above ,
>private keys for public/private cryptology, etc need to be stored
>somewhere in the concerned company's database. And there would be
>someone/many having direct access to this. So how do they manage to
>avoid leaking of this critical confidential info? (the employee, having
>access to these data, may accidently reveal them to the outside world,
>right?)

When a new FOB is generated (or old FOB regenerated) in the system, a
new PIN and other numbers are created.

So knowing the hash algorithm or information about one FOB doesn't
expose any info about any other FOB.

You must assume that if you allow an attacker to get physically next
to your box then they own it.

All in all, the SecureID system is fairly strong and it is very easy
for the users.

>
>Thanks,
>Riya.

From: Jean-Luc Cooke on
clem <clem(a)numeral.com> wrote:
> There is said to be a way to do this by gathering the different values
> displayed and if enough displays are capture this will help predict
> the following numbers.

There are papers online showing the results of reverse engineering the
RSA SecureID. In short, it uses a variant of RC4 to mangle serial
number, and GMT time from a quartz crystal. The reverse engineering
showed it to be a goo ddesign assuming there are no serious flaws in
RC4. Which to my knowledge, the public doesn't know of any.

JLC
From: Crypto on
Jean-Luc Cooke wrote:

> clem <clem(a)numeral.com> wrote:
>
>>There is said to be a way to do this by gathering the different values
>>displayed and if enough displays are capture this will help predict
>>the following numbers.
>
>
> There are papers online showing the results of reverse engineering the
> RSA SecureID. In short, it uses a variant of RC4 to mangle serial
> number, and GMT time from a quartz crystal. The reverse engineering
> showed it to be a goo ddesign assuming there are no serious flaws in
> RC4. Which to my knowledge, the public doesn't know of any.
>
> JLC

The public doesn't know of flaws in RC4?
How secure do you think RC4 is? Or its variants?
RC4's mileage in this group varies significantly.

From: TwoSchubert on
On 2005-07-03, Riya <riya.pcch(a)rediffmail.com> wrote:

> 1. What all the security features achieved by this card(other than
> proving that it is me who bought this card)?

Two factor authentication.

> 2. I believe this card must be generating the password key based on the
> current GMT time and my Registration number, using some kind of
> messge-digest algorithm or something like that.

Old-fashioned SecurID devices used a propietary & secret hash fuction,
designed by John Brainard in 1985 and reverse-engineered by some russian
(dive into securityfocus lists for C code).
After being done that, the hash was analysed, and actually it's a very weak one:
http://eprint.iacr.org/2003/162.pdf &
http://www.crypto-world.com/documents/securid.pdf

Note that new SecurIDs use an AES-based hash function, and therefore
it allegadly more secure. Again, dig into groups.google.com & find
a post with all the details.

Furthermore, there have been attacks on the protocol itself.

> But wouldn't it be
> possible for a dedicated hacker to hack this circuit and reveal the
> algorithm that is being used to generate these password keys. Using
> which, he can generate the numbers for other secureid registration
> numbers as well.

Already done ;)
BUT, I recall some RSA henchman saying that 'the secrecy of the
algorithm isn't fundamental for SecurID security', so, trust them.

> 3. This is a general question : The algorithms mentioned above ,
> private keys for public/private cryptology, etc need to be stored
> somewhere in the concerned company's database. And there would be
> someone/many having direct access to this. So how do they manage to
> avoid leaking of this critical confidential info? (the employee, having
> access to these data, may accidently reveal them to the outside world,
> right?)

Very simple: purchasing a polygraph ;)

Regards,

TwoSchubert

 |  Next  |  Last
Pages: 1 2
Prev: DRM2WMV
Next: To Beale Screamer