SecurID

From Free net encyclopedia

Image:RSA-SecurID-Tokens-new.jpg Image:RSA-SecurID-Tokens.jpg SecurID is a mechanism developed by Security Dynamics and currently owned by RSA Security for authenticating a user to a network resource.

The SecurID authentication mechanism consists of a "token" -- a piece of hardware assigned to a user that generates an authentication code every sixty seconds using a built-in clock and the card's factory-encoded random key (known as the "seed" and often provided as a *.asc file). The seed is different for each token, and is loaded into the corresponding SecurID server (the "ACE Server") as the tokens are purchased. Some SecurID deployments may use 30 second rotations.

The token hardware is designed to be tamper resistant to deter reverse engineering of the token. Despite this, public code has been developed by the security community allowing a user to emulate a SecurID in software, but only if they have access to a current SecurID code, and the original SecurID seed file introduced to the server.

A user authenticating to a network resource -- say, a dial-in server or a firewall -- needs to enter both a PIN (something you know) and the number being displayed at that moment in time on their SecurID token (something you have). Some systems using SecurID disregard PIN implementation altogether, and rely on password / SecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access.

On systems implementing PINs, a "duress PIN" may be used -- an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication.

While the SecurID system can add a layer of security to a network, difficulty can occur if the authentication server's clock becomes out of sync with the clock built in to the authentication tokens. However, typically the ACE Server automatically corrects for this without affecting the user. It is also possible to manually re-sync a token in the ACE server. Also, providing authentication tokens to everyone who might need to access a network resource can be expensive, particularly as the tokens are programmed to "expire" at a fixed time, usually three years, requiring purchase of a new token.

Other network authentication systems, such as S/Key (sometimes known as OTP, as S/Key is a trademark of Bellcore,) attempt to provide the "something you have" level of authentication without requiring a hardware token.

External links

Technical details

• Sample SecurID Token Emulator with token Secret Import I.C.Wiener, Bugtraq post.
• Apparent Weaknesses in the Security Dynamics Client/Server Protocol Adam Shostack, 1996.
• Usenet thread discussing new SecurID details Vin McLellan, et. al., comp.security.misc.
• Unofficial SecurID information and some reverse-engineering attempts Yahoo Groups securid-users.

Published attacks against the SecurID hash function

• Cryptanalysis of the Alleged SecurID Hash Function Alex Biryukov, Joseph Lano and Bart Preneel.
• Improved Cryptanalysis of SecurID Scott Contini and Yiqun Lisa Yin.
• Fast Software-Based Attacks on SecurID Scott Contini and Yiqun Lisa Yin.de:SecurID

Also called a Keyfob, used by many large security companies such as ADP, Inc. when dealing with large amounts of very secure data; especially Nuclear corporations, weapons manufacturers, and military.