SecurID

Classic model of the RSA SecurID as a key ring.

Newer variant of the token generator in the form of a key.

Newer variant of the token generator with USB connection.

The SecurID is a security system from RSA Security for authentication , ie for checking the identity of users (“Authentication Manager”). An authenticator is used for this, a piece of hardware called a "SecurID Token".

The authentication is a two-factor authentication , through which a high level of security is to be guaranteed: The user must know a password (“something that you know”) and be in possession of his token or a token generator (“something that you has ”) in order to be able to identify yourself to the computer, network service etc. The token generator generates a new security token every minute in the form of a six-digit number, which is also generated according to the same algorithm on the corresponding host whose access is secured with this token.

Various access solutions such as VPN servers, firewalls or OpenSSH offer the possibility of using SecurID.

Hardware token

The key token generator, available as a key ring with dimensions of 5.5 cm × 2.7 cm max. or in credit card format, displays a 6- to 8-digit number (token or one-time password , OTP ) that changes every 60 seconds . This OTP is generated in the token generator and is the product of an AES algorithm, which is calculated from a time index and a secret key (length: 128 bits) of the respective basic key. The key is generated with a real random number generator and is embedded in the token generator when it is manufactured. The 128-bit key is only known to the Authentication Manager, no one else. The 6 to 8-digit number, the "SecurID code", is stored on a. After normal login (identification with name, password, key card, etc.) Terminal queried and then compared with the code generated in the server for this special user according to the same criteria. If the codes match, access or access is granted. Newer versions also enable the secure storage of certificates using a smart card functionality via USB.

Time synchronization with the server

The server system time is typically NTP- controlled and thus differs i. d. Usually only in the millisecond range from UTC . Since the quartz clocks in the hardware tokens show a certain error over the years, the server saves the time difference per token once a day if the authentication is successful. Therefore, a key may still be accepted a few minutes after it expires.

running time

The token generators have a different term of one to five years depending on requirements and must then be replaced. The device then switches off at a specified time, the date is engraved on the back.

construction

RSA SecurID SID800 token generator, structure (1/2)

RSA SecurID SID800 token generator, structure (2/2)

The battery is designed for the entire lifetime of the generator. The generator itself cannot be opened without being physically destroyed as a result. Inside there is a microprocessor clocked at approx. 1 megahertz with a ROM module and a clock module.

In principle, the SecurID system itself does not contain any encryption, as it is mostly only intended for authentication processes. The exception is the SID800 model, which has an integrated Smart Chip with a USB connection, but cannot be used like a USB stick to store data.

Areas of application

The SecurID system offers a very high level of protection compared to conventional, for example purely password-based, authentication systems, as the code to be entered changes every 60 seconds, codes that have already been entered become invalid, and no key token produces the same SecurID code as another rarely repeat the codes. In addition, the system can be used flexibly, both from fixed access terminals (for example on entrance doors) and from computers (for example for logging in). Organizations use the system accordingly where a high level of security is required.

Due to the increased risks in the area of online banking, multifunctional devices are now also being offered that are equipped with a signature function in order to efficiently protect business transactions.

price

The price for a SecurID tag is around 40 US dollars, the price for the server software is several thousand US dollars (depending on the license size, term of the token, etc.).

Software token

There are also tokens that are software-based. In principle, these work in the same way as hardware tokens, since both variants generate one-time codes (one-time passwords).

The software can be installed on all common devices and operating systems. Some of them are:

Windows (7/8 / 8.1 / 10)
Android (from version 4)
Apple
Windows Phone
Blackberry

Since the token does not logically contain a seed (secret key) during installation, the software must request this from the corresponding authentication server. To do this, the user receives an activation code from the administrator with which the software legitimizes itself on the server and then receives the required seed code encrypted in real time (also for the purpose of time synchronization) via the network (LAN or WAN). The key itself is not transmitted over the network, but calculated. Other distribution methods using encrypted files are also possible. Immediately after receiving the seed code, the software generates OTP codes that the user can use for authentication, as is usual with hardware tokens.

The software stops generating tokens when the license period for this token has expired or because mathematically no further token code can be generated due to the encryption process. See RSA cryptosystem .

Software tokens are suitable for users who do not want to carry any special hardware (HW tokens) with them. The program generates the one-time passwords required for logging into an IT infrastructure protected with RSA SecureID. Since software tokens are difficult to protect physically, they are exposed to potential attacks such as copying the entire software or attempts to read the key via the operating system. Here, however, security mechanisms have been developed that thwart such attacks, but cannot completely exclude them. However, they offer the advantage that the selling price for the software is cheaper than that for the hardware.

criticism

Vulnerability to man-in-the-middle attacks

One-time password tokens are generally vulnerable to a man-in-the-middle attack . However, these attacks are laborious to create. The tokens should always be kept and carried in such a way that they cannot be used by others, e.g. B. can be read with good binoculars. Carrying the token on a lanyard should be prohibited in the security guidelines.

Token code procedure

The procedure for calculating the token code has been standardized since February 2003: The key tokens are delivered with a 128-bit key length and an AES algorithm.

The hardware complexity and security of the 128-bit AES algorithm are suboptimal compared to other methods. In the present application, stream cipher processes would be better suited and could deliver cheaper tokens with the same security.

The technology used before, which still worked with the SDI algorithm and 64-bit key length, was criticized even more clearly: Critics expressed concern that the algorithm for generating the tokens had not yet been published by the manufacturer RSA. The exact specifications were only available to governments and large companies that had previously signed a non-disclosure agreement . The standard was therefore not freely accessible and could not be independently verified.

Hacker attack on RSA servers

In a hacking attack on RSA servers that became known in March 2011, data (seeds and serial numbers) that can be used to calculate any OTP could have been stolen. As a result of the attack, around 40 million SecurID tokens are exchanged worldwide.

Hacker attack on Lockheed Martin possibly using stolen seeds

In May 2011, the servers of the arms manufacturer Lockheed Martin were hacked. Various sources assume a connection with the assumed theft of seeds at RSA. If the reports are correct, Lockheed would be the first known victim of the compromise of the security of the SecurID system. The Lockheed Martin Group is involved in the production of the Lockheed Martin F-35 stealth fighter aircraft .

Web links

Individual evidence

↑ Hardware tokens. In: www.rsa.com. Retrieved June 21, 2016 .
↑ DJ Bernstein: Why switch from AES to a new stream cipher? . Retrieved March 28, 2010.
↑ RSA hack could compromise the security of SecurID tokens. . Heise Online. March 18, 2011. Retrieved May 21, 2011.
↑ RSA exchanges 40 million SecurID tokens after hacking . Heise Online. June 7, 2011. Retrieved June 7, 2011.
↑ March RSA Hack Hits Lockheed, Remote Systems Breached . Ziff Davis, Inc. May 28, 2011. Retrieved May 29, 2011.
↑ Attackers break into Lockheed Martin computers . Golem.de. May 28, 2011. Retrieved May 29, 2011.

[1] Hardware tokens. In: www.rsa.com. Retrieved June 21, 2016 .

[abandon_aes-2] DJ Bernstein: Why switch from AES to a new stream cipher? . Retrieved March 28, 2010.

[3] RSA hack could compromise the security of SecurID tokens. . Heise Online. March 18, 2011. Retrieved May 21, 2011.

[4] RSA exchanges 40 million SecurID tokens after hacking . Heise Online. June 7, 2011. Retrieved June 7, 2011.

[5] March RSA Hack Hits Lockheed, Remote Systems Breached . Ziff Davis, Inc. May 28, 2011. Retrieved May 29, 2011.

[6] Attackers break into Lockheed Martin computers . Golem.de. May 28, 2011. Retrieved May 29, 2011.