RSA SecurID
Website | https://www.rsa.com/en-us/products/rsa-securid-suite |
---|
RSA SecurID, formerly referred to as SecurID, is a mechanism developed by
Description
The RSA SecurID authentication mechanism consists of a "
The token hardware is designed to be
A user authenticating to a network resource—say, a dial-in server or a firewall—needs to enter both a personal identification number and the number being displayed at that moment on their RSA SecurID token. Though increasingly rare, some systems using RSA SecurID disregard PIN implementation altogether, and rely on password/RSA SecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, authenticates a user by computing what number the token is supposed to be showing at that moment in time and checking this against what the user entered.
On older versions of SecurID, a "duress PIN" may be used—an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication.[6] Using the duress PIN would allow one successful authentication, after which the token will automatically be disabled. The "duress PIN" feature has been deprecated and is not available on currently supported versions.
While the RSA SecurID system adds a layer of security to a network, difficulty can occur if the authentication server's clock becomes out of sync with the clock built into the authentication tokens. Normal token clock drift is accounted for automatically by the server by adjusting a stored "drift" value over time. If the out of sync condition is not a result of normal hardware token clock drift, correcting the synchronization of the Authentication Manager server clock with the out of sync token (or tokens) can be accomplished in several different ways. If the server clock had drifted and the administrator made a change to the system clock, the tokens can either be resynchronized one-by-one, or the stored drift values adjusted manually. The drift can be done on individual tokens or in bulk using a command line utility.
RSA Security has pushed forth an initiative called "Ubiquitous Authentication", partnering with device manufacturers such as IronKey, SanDisk, Motorola, Freescale Semiconductor, Redcannon, Broadcom, and BlackBerry to embed the SecurID software into everyday devices such as USB flash drives and cell phones, to reduce cost and the number of objects that the user must carry.[7]
Theoretical vulnerabilities
Token codes are easily stolen, because no mutual-authentication exists (anything that can steal a password can also steal a token code). This is significant, since it is the principal threat most users believe they are solving with this technology.
The simplest practical vulnerability with any password container is losing the special key device or the activated smart phone with the integrated key function. Such vulnerability cannot be healed with any single token container device within the preset time span of activation. All further consideration presumes loss prevention, e.g. by additional electronic leash or body sensor and alarm.
While RSA SecurID tokens offer a level of protection against password
SecurID authentication server tries to prevent password sniffing and simultaneous login by declining both authentication requests, if two valid credentials are presented within a given time frame. This has been documented in an unverified post by John G. Brainard.
Although soft tokens may be more convenient, critics indicate that the
Hard tokens, on the other hand, can be physically stolen (or acquired via social engineering) from end users. The small form factor makes hard token theft much more viable than laptop/desktop scanning. A user will typically wait more than one day before reporting the device as missing, giving the attacker plenty of time to breach the unprotected system. This could only occur, however, if the user's UserID and PIN are also known. Risk-based analytics can provide additional protection against the use of lost or stolen tokens, even if the user's UserID and PIN are known by the attackers.
Batteries go flat periodically, requiring complicated replacement and re-enrollment procedures.
Reception and competing products
As of 2003, RSA SecurID commanded over 70% of the two-factor authentication market
Other network authentication systems, such as
March 2011 system compromise
On 17 March 2011, RSA announced that they had been victims of "an extremely sophisticated cyber attack".[12] Concerns were raised specifically in reference to the SecurID system, saying that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation". However, their formal Form 8-K submission[13] indicated that they did not believe the breach would have a "material impact on its financial results". The breach cost EMC, the parent company of RSA, $66.3 million, which was taken as a charge against second quarter earnings. It covered costs to investigate the attack, harden its IT systems and monitor transactions of corporate customers, according to EMC Executive Vice President and Chief Financial Officer David Goulden, in a conference call with analysts.[14]
The breach into RSA's network was carried out by hackers who sent
There are some hints that the breach involved the theft of RSA's database mapping token serial numbers to the secret token "seeds" that were injected to make each one unique.[17] Reports of RSA executives telling customers to "ensure that they protect the serial numbers on their tokens"[18] lend credibility to this hypothesis.
Barring a fatal weakness in the cryptographic implementation of the token code generation algorithm (which is unlikely, since it involves the simple and direct application of the extensively scrutinized
On 6 June 2011, RSA offered token replacements or free security monitoring services to any of its more than 30,000 SecurID customers, following an attempted cyber breach on defense customer Lockheed Martin that appeared to be related to the SecurID information stolen from RSA.[20] In spite of the resulting attack on one of its defense customers, company chairman Art Coviello said that "We believe and still believe that the customers are protected".[21]
Resulting attacks
In April 2011, unconfirmed rumors cited
In May 2011, this information was used to attack
References
- ^
"Oracle® Access Manager Integration Guide" (PDF). Oracle Corporation. August 2007.
[...] the RSA ACE/Server®, which has been renamed to the Authentication Manager.
- ^ "RFC ft-mraihi-totp-timebased: TOTP: Time-Based One-Time Password Algorithm". Ietf Datatracker. May 13, 2011.
- ^ "Bugtraq: Sample SecurID Token Emulator with Token Secret Import". seclists.org.
- ^ "stoken / Wiki / Home". sourceforge.net.
- ^ "Data Sheets" (PDF). Archived from the original on November 13, 2008.
- ^ "TCPware V5.7 User's Guide ch14.HTM". Archived from the original on 2012-03-01. Retrieved 2013-03-20.
- ^ RSA Security to enable ubiquitous authentication as RSA SecurID(r) technology reaches everyday devices and software – M2 Presswire
- ^ "Untitled". malpaso.ru. Archived from the original on 28 September 2007.
- ^ "Securology: Soft tokens aren't tokens at all". 20 November 2007.
- ^ "RSA SecurID Solution Named Best Third-Party Authentication Device by Windows IT Pro Magazine Readers' Choice 2004". RSA.com. 2004-09-16. Archived from the original on 2010-01-06. Retrieved 2011-06-09.
- ^ Diodati, Mark (2010). "Road Map: Replacing Passwords with OTP Authentication". Burton Group.
Gartner's expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time. ... If the organization does not need the extensive platform support, then OATH-based technology is likely a more cost-effective choice.
- ^ "Open Letter to RSA Customers". Originally online at RSA site.
- ^ "EMC / RSA 8K filing". Form 8-K. The United States Securities and Exchange Commission. 17 March 2011.
- ^ Chabrow, Eric (1 August 2011). "RSA Breach Costs Parent EMC $66.3 Million". GovInfoSecurity.
- ^ Rivner, Uri (1 April 2011). "Anatomy of an Attack". Speaking of Security - The RSA Blog and Podcast. Archived from the original on 20 July 2011.
- ^ Mills, Elinor (5 April 2011). "Attack on RSA used zero-day Flash exploit in Excel". CNET. Archived from the original on 17 July 2011.
- ^ Goodin, Dan (24 May 2011). "RSA won't talk? Assume SecurID is broken". The Register.
- ^ Messmer, Ellen (18 March 2011). "Did hackers nab RSA SecurID's secret sauce?". Network World. Archived from the original on 15 October 2012.
- ^ Bright, Peter (6 June 2011). "RSA finally comes clean: SecurID is compromised". Ars Technica.
- ^ Gorman, Siobhan; Tibken, Shara (7 June 2011). "Security 'Tokens' Take Hit". Wall Street Journal.
- ^ Gorman, Siobhan; Tibken, Shara (7 June 2011). "RSA forced to replace nearly all of its millions of tokens after security breach". News Limited.
- ^ Mills, Elinor (6 June 2011). "China linked to new breaches tied to RSA". CNet.
- ^ Leyden, John (27 May 2011). "Lockheed Martin suspends remote access after network 'intrusion'". The Register.
- ^ Drew, Christopher (3 June 2011). "Stolen Data Is Tracked to Hacking at Lockheed". New York Times.
- ^ "Lockheed Martin confirms attack on its IT network". AFP. 28 May 2011.
- ^ Wolf, Jim (28 May 2011). "Lockheed Martin hit by cyber incident, U.S. says". Reuters. Archived from the original on 13 June 2012.
External links
- Technical details
- Sample SecurID Token Emulator with token Secret Import I.C.Wiener, Bugtraq post.
- Apparent Weaknesses in the Security Dynamics Client/Server Protocol Adam Shostack, 1996.
- Usenet thread discussing new SecurID details Vin McLellan, et al., comp.security.misc.
- Unofficial SecurID information and some reverse-engineering attempts Yahoo Groups securid-users.
- Analysis of possible risks from 2011 compromise
- Published attacks against the SecurID hash function
- Cryptanalysis of the Alleged SecurID Hash Function (PDF) Alex Biryukov, Joseph Lano, and Bart Preneel.
- Improved Cryptanalysis of SecurID (PDF) Scott Contini and Yiqun Lisa Yin.
- Fast Software-Based Attacks on SecurID (PDF) Scott Contini and Yiqun Lisa Yin.