RSA SecurID

RSA SecurID
RSA SecurID logo
Websitehttps://www.rsa.com/en-us/products/rsa-securid-suite

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.

Description

RSA SecurID token (older style, model SD600)
RSA SecurID token (model SID700)
RSA SecurID (new style, SID800 model with smartcard functionality)

The RSA SecurID authentication mechanism consists of a "token"—either hardware (e.g. a key fob) or software (a soft token)—which is assigned to a computer user and which creates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded almost random key (known as the "seed"). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server[1]) as the tokens are purchased.[2] On-demand tokens are also available, which provide a tokencode via email or SMS delivery, eliminating the need to provision a token to the user.

The token hardware is designed to be tamper-resistant to deter reverse engineering. When software implementations of the same algorithm ("software tokens") appeared on the market, public code had been developed by the security community allowing a user to emulate RSA SecurID in software, but only if they have access to a current RSA SecurID code, and the original 64-bit RSA SecurID seed file introduced to the server.[3] Later, the 128-bit RSA SecurID algorithm was published as part of an open source library.[4] In the RSA SecurID authentication scheme, the seed record is the secret key used to generate one-time passwords. Newer versions also feature a USB connector, which allows the token to be used as a smart card-like device for securely storing certificates.[5]

A user authenticating to a network resource—say, a dial-in server or a firewall—needs to enter both a personal identification number and the number being displayed at that moment on their RSA SecurID token. Though increasingly rare, some systems using RSA SecurID disregard PIN implementation altogether, and rely on password/RSA SecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, authenticates a user by computing what number the token is supposed to be showing at that moment in time and checking this against what the user entered.

On older versions of SecurID, a "duress PIN" may be used—an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication.[6] Using the duress PIN would allow one successful authentication, after which the token will automatically be disabled. The "duress PIN" feature has been deprecated and is not available on currently supported versions.

While the RSA SecurID system adds a layer of security to a network, difficulty can occur if the authentication server's clock becomes out of sync with the clock built into the authentication tokens. Normal token clock drift is accounted for automatically by the server by adjusting a stored "drift" value over time. If the out of sync condition is not a result of normal hardware token clock drift, correcting the synchronization of the Authentication Manager server clock with the out of sync token (or tokens) can be accomplished in several different ways. If the server clock had drifted and the administrator made a change to the system clock, the tokens can either be resynchronized one-by-one, or the stored drift values adjusted manually. The drift can be done on individual tokens or in bulk using a command line utility.

RSA Security has pushed forth an initiative called "Ubiquitous Authentication", partnering with device manufacturers such as IronKey, SanDisk, Motorola, Freescale Semiconductor, Redcannon, Broadcom, and BlackBerry to embed the SecurID software into everyday devices such as USB flash drives and cell phones, to reduce cost and the number of objects that the user must carry.[7]

Theoretical vulnerabilities

Token codes are easily stolen, because no mutual-authentication exists (anything that can steal a password can also steal a token code). This is significant, since it is the principal threat most users believe they are solving with this technology.

The simplest practical vulnerability with any password container is losing the special key device or the activated smart phone with the integrated key function. Such vulnerability cannot be healed with any single token container device within the preset time span of activation. All further consideration presumes loss prevention, e.g. by additional electronic leash or body sensor and alarm.

While RSA SecurID tokens offer a level of protection against password replay attacks, they are not designed to offer protection against man in the middle type attacks when used alone. If the attacker manages to block the authorized user from authenticating to the server until the next token code will be valid, he will be able to log into the server. Risk-based analytics (RBA), a new feature in the latest version (8.0) provides significant protection against this type of attack if the user is enabled and authenticating on an agent enabled for RBA. RSA SecurID does not prevent man in the browser (MitB) based attacks.

SecurID authentication server tries to prevent password sniffing and simultaneous login by declining both authentication requests, if two valid credentials are presented within a given time frame. This has been documented in an unverified post by John G. Brainard.[8] If the attacker removes from the user the ability to authenticate however, the SecurID server will assume that it is the user who is actually authenticating and hence will allow the attacker's authentication through. Under this attack model, the system security can be improved using encryption/authentication mechanisms such as SSL.

Although soft tokens may be more convenient, critics indicate that the tamper-resistant property of hard tokens is unmatched in soft token implementations,[9] which could allow seed record secret keys to be duplicated and user impersonation to occur.

Hard tokens, on the other hand, can be physically stolen (or acquired via social engineering) from end users. The small form factor makes hard token theft much more viable than laptop/desktop scanning. A user will typically wait more than one day before reporting the device as missing, giving the attacker plenty of time to breach the unprotected system. This could only occur, however, if the user's UserID and PIN are also known. Risk-based analytics can provide additional protection against the use of lost or stolen tokens, even if the user's UserID and PIN are known by the attackers.

Batteries go flat periodically, requiring complicated replacement and re-enrollment procedures.

Reception and competing products

As of 2003, RSA SecurID commanded over 70% of the two-factor authentication market[10] and 25 million devices have been produced to date.[citation needed] A number of competitors, such as VASCO, make similar security tokens, mostly based on the open OATH HOTP standard. A study on OTP published by Gartner in 2010 mentions OATH and SecurID as the only competitors.[11]

Other network authentication systems, such as OPIE and S/Key (sometimes more generally known as OTP, as S/Key is a trademark of Telcordia Technologies, formerly Bellcore) attempt to provide the "something you have" level of authentication without requiring a hardware token.[citation needed]

March 2011 system compromise

On 17 March 2011, RSA announced that they had been victims of "an extremely sophisticated cyber attack".[12] Concerns were raised specifically in reference to the SecurID system, saying that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation". However, their formal Form 8-K submission[13] indicated that they did not believe the breach would have a "material impact on its financial results". The breach cost EMC, the parent company of RSA, $66.3 million, which was taken as a charge against second quarter earnings. It covered costs to investigate the attack, harden its IT systems and monitor transactions of corporate customers, according to EMC Executive Vice President and Chief Financial Officer David Goulden, in a conference call with analysts.[14]

The breach into RSA's network was carried out by hackers who sent phishing emails to two targeted, small groups of employees of RSA.[15] Attached to the email was a Microsoft Excel file containing malware. When an RSA employee opened the Excel file, the malware exploited a vulnerability in Adobe Flash. The exploit allowed the hackers to use the Poison Ivy RAT to gain control of machines and access servers in RSA's network.[16]

There are some hints that the breach involved the theft of RSA's database mapping token serial numbers to the secret token "seeds" that were injected to make each one unique.[17] Reports of RSA executives telling customers to "ensure that they protect the serial numbers on their tokens"[18] lend credibility to this hypothesis.

Barring a fatal weakness in the cryptographic implementation of the token code generation algorithm (which is unlikely, since it involves the simple and direct application of the extensively scrutinized AES-128 block cipher), the only circumstance under which an attacker could mount a successful attack without physical possession of the token is if the token seed records themselves had been leaked.[citation needed] RSA stated it did not release details about the extent of the attack so as to not give potential attackers information they could use in figuring out how to attack the system.[19]

On 6 June 2011, RSA offered token replacements or free security monitoring services to any of its more than 30,000 SecurID customers, following an attempted cyber breach on defense customer Lockheed Martin that appeared to be related to the SecurID information stolen from RSA.[20] In spite of the resulting attack on one of its defense customers, company chairman Art Coviello said that "We believe and still believe that the customers are protected".[21]

Resulting attacks

In April 2011, unconfirmed rumors cited L-3 Communications as having been attacked as a result of the RSA compromise.[22]

In May 2011, this information was used to attack Lockheed Martin systems.[23][24] However Lockheed Martin claims that due to "aggressive actions" by the company's information security team, "No customer, program or employee personal data" was compromised by this "significant and tenacious attack".[25] The Department of Homeland Security and the US Defense Department offered help to determine the scope of the attack.[26]

References

  1. ^ "Oracle® Access Manager Integration Guide" (PDF). Oracle Corporation. August 2007. [...] the RSA ACE/Server®, which has been renamed to the Authentication Manager.
  2. ^ "RFC ft-mraihi-totp-timebased: TOTP: Time-Based One-Time Password Algorithm". Ietf Datatracker. May 13, 2011.
  3. ^ "Bugtraq: Sample SecurID Token Emulator with Token Secret Import". seclists.org.
  4. ^ "stoken / Wiki / Home". sourceforge.net.
  5. ^ "Data Sheets" (PDF). Archived from the original on November 13, 2008.
  6. ^ "TCPware V5.7 User's Guide ch14.HTM". Archived from the original on 2012-03-01. Retrieved 2013-03-20.
  7. ^ RSA Security to enable ubiquitous authentication as RSA SecurID(r) technology reaches everyday devices and software – M2 Presswire
  8. ^ "Untitled". malpaso.ru. Archived from the original on 28 September 2007.
  9. ^ "Securology: Soft tokens aren't tokens at all". 20 November 2007.
  10. ^ "RSA SecurID Solution Named Best Third-Party Authentication Device by Windows IT Pro Magazine Readers' Choice 2004". RSA.com. 2004-09-16. Archived from the original on 2010-01-06. Retrieved 2011-06-09.
  11. ^ Diodati, Mark (2010). "Road Map: Replacing Passwords with OTP Authentication". Burton Group. Gartner's expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time. ... If the organization does not need the extensive platform support, then OATH-based technology is likely a more cost-effective choice.
  12. ^ "Open Letter to RSA Customers". Originally online at RSA site.
  13. ^ "EMC / RSA 8K filing". Form 8-K. The United States Securities and Exchange Commission. 17 March 2011.
  14. ^ Chabrow, Eric (1 August 2011). "RSA Breach Costs Parent EMC $66.3 Million". GovInfoSecurity.
  15. ^ Rivner, Uri (1 April 2011). "Anatomy of an Attack". Speaking of Security - The RSA Blog and Podcast. Archived from the original on 20 July 2011.
  16. ^ Mills, Elinor (5 April 2011). "Attack on RSA used zero-day Flash exploit in Excel". CNET. Archived from the original on 17 July 2011.
  17. ^ Goodin, Dan (24 May 2011). "RSA won't talk? Assume SecurID is broken". The Register.
  18. ^ Messmer, Ellen (18 March 2011). "Did hackers nab RSA SecurID's secret sauce?". Network World. Archived from the original on 15 October 2012.
  19. ^ Bright, Peter (6 June 2011). "RSA finally comes clean: SecurID is compromised". Ars Technica.
  20. ^ Gorman, Siobhan; Tibken, Shara (7 June 2011). "Security 'Tokens' Take Hit". Wall Street Journal.
  21. ^ Gorman, Siobhan; Tibken, Shara (7 June 2011). "RSA forced to replace nearly all of its millions of tokens after security breach". News Limited.
  22. ^ Mills, Elinor (6 June 2011). "China linked to new breaches tied to RSA". CNet.
  23. ^ Leyden, John (27 May 2011). "Lockheed Martin suspends remote access after network 'intrusion'". The Register.
  24. ^ Drew, Christopher (3 June 2011). "Stolen Data Is Tracked to Hacking at Lockheed". New York Times.
  25. ^ "Lockheed Martin confirms attack on its IT network". AFP. 28 May 2011. Archived from the original on September 7, 2012.
  26. ^ Wolf, Jim (28 May 2011). "Lockheed Martin hit by cyber incident, U.S. says". Reuters. Archived from the original on 13 June 2012.
Technical details
Published attacks against the SecurID hash function

Read other articles:

سفارة النرويج في الولايات المتحدة النرويج الولايات المتحدة الإحداثيات 38°55′30″N 77°04′00″W / 38.925°N 77.0667°W / 38.925; -77.0667 البلد الولايات المتحدة  المكان شمال غربي واشنطن العاصمة الموقع الالكتروني الموقع الرسمي تعديل مصدري - تعديل   سفارة النرويج في الولايات المتحد

 

Francis Rawdon-Hastings, 1. Marquess of Hastings Marquess of Hastings war ein erblicher britischer Adelstitel in der Peerage of the United Kingdom. Inhaltsverzeichnis 1 Verleihungen 2 Liste der Marquesses of Hastings und Earls of Moira 2.1 Earls of Moira (1762) 2.2 Marquesses of Hastings (1816) 3 Weblinks Verleihungen Der Titel wurde am 6. Dezember 1816 für Francis Rawdon-Hastings, 2. Earl of Moira geschaffen. Zusammen mit dem Marquessate wurden ihm die nachgeordneten Titel Earl of Rawdon un...

 

English politician For other people named William Clayton, see William Clayton (disambiguation). William Clayton (c. 1718 – 3 July 1783) of Harleyford Manor, near Great Marlow [1][2] was an English politician. Harleyford Manor He was the second surviving son of Sir William Clayton, 1st Baronet (died 1744), and the younger brother of Sir Kenrick Clayton, 2nd Baronet. He was educated at the Middle Temple.[3] He was a Member of Parliament (MP) for Bletchingley[...

ピーター・グラントPeter Grant 1970年代時期のフォト基本情報出生名 Peter James Grant生誕 1935年4月5日出身地 イングランド・ロンドン死没 (1995-11-21) 1995年11月21日(60歳没)サセックス州 イーストボーンジャンル ポピュラー音楽職業 ミュージックマネージャー、エグゼクティブ・プロデューサー活動期間 1963年 - 1983年レーベル 「スワン・ソング」代表共同作業者 (マネジメン...

 

Historical Middle Eastern alphabet Palmyrene alphabetPalmyrene inscribed tablet in the Musée du LouvreScript type Abjad Time period100 BCE to 300 CEDirectionright-to-left script LanguagesPalmyrene AramaicRelated scriptsParent systemsProto-Sinaitic alphabetPhoenician alphabetAramaic alphabetPalmyrene alphabetSister systemsAmmoniteBrāhmī [a]Edessan[1]Elymaic[1]Hatran[1]HebrewMandaic[1]Nabataean[1]PahlaviParthianISO 15924ISO 15924Palm (126), &...

 

Defunct arena in Miami, Florida, United States This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: Miami Arena – news · newspapers · books · scholar · JSTOR (September 2014) (Learn how and when to remove this template message) This article is about the defunct arena in Downtown Miami. For one of its successors t...

1955 film by Robert Pirosh The Girl RushDirected byRobert PiroshStarringRosalind RussellFernando LamasEddie AlbertGloria DeHavenMarion LorneCinematographyWilliam H. DanielsEdited byWilliam HornbeckMusic byHerbert W. SpencerEarle HagenDistributed byParamount PicturesRelease date September 1955 (1955-09) Running time85 minutesCountryUnited StatesLanguageEnglishBox office$1 million (US)[1] The Girl Rush is a 1955 American musical comedy film starring Rosalind Russell, filmed in...

 

French industrialist (1839-1922) Auguste Marie FabreBorn(1839-02-05)5 February 1839Uzès, Gard, FranceDied26 December 1922(1922-12-26) (aged 83)Geneva, SwitzerlandNationalityFrenchOccupation(s)Manufacturer, mechanicKnown forCooperative movement Auguste Marie Fabre (5 February 1839 – 26 December 1922) was a French industrialist. He had utopian ideas and was involved in various cooperative experiments. He was the author of the 1896 booklet Les Sky Scratchers in which he extolled mod...

 

Neighbourhood in Lahore, Punjab, PakistanShad Baghشاد باغNeighbourhoodCountry PakistanProvincePunjabCityLahoreAdministrative townShalamarUnion councilUC 25 Shad Bagh (Punjabi, Urdu: شاد باغ) is a union council and neighbourhood in Shalamar Tehsil of Lahore, Punjab, Pakistan. Shad Bagh is a predominantly mixed residential and commercial area. Localities Goal Bagh Afzal Park, Fazal Park Government Girls high School Shad Bagh Government college for Woman Shad Bagh Government Hig...

Agrakhan PeninsulaАграханский полуостровAgrakhan PeninsulaGeographyCoordinates43°50′N 47°36′E / 43.833°N 47.600°E / 43.833; 47.600Adjacent toCaspian SeaArea212 km2 (82 sq mi)Highest elevation20 m (70 ft)AdministrationRussiaDagestan Republic The Agrakhan Peninsula (Russian: Аграханский полуостров) is a narrow peninsula in the Caspian Sea. It is located on the northwestern Caspian coast.[...

 

International digital security company This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) A major contributor to this article appears to have a close connection with its subject. It may require cleanup to comply with Wikipedia's content policies, particularly neutral point of view. Please discuss further on the talk page. (July 2014) (Learn how and when to remove this template message) This ...

 

2017 single by Brooke EdenAct Like You Don'tSingle by Brooke Edenfrom the album Welcome to the Weekend ReleasedFebruary 13, 2017 (2017-02-13)GenreCountry popLength3:53LabelRed BowSongwriter(s)Brooke EdenCary BarloweJesse FrasureProducer(s)Jacob DurrettNick BrophyBrooke Eden singles chronology Diamonds (2016) Act Like You Don't (2017) Act Like You Don't is a song written and recorded by American country music singer Brooke Eden for her second extended play, Welcome to the Weeken...

1951 science fiction film directed by Lew Landers Jungle ManhuntFilm PosterDirected byLew LandersWritten bySamuel NewmanBased onJungle Jim1934-1954 comic stripby Don Moore and Alex RaymondProduced bySam KatzmanStarringJohnny WeissmullerBob WaterfieldCinematographyWilliam WhitleyEdited byHenry BatistaMusic byMischa BakaleinikoffDistributed byColumbia PicturesRelease date October 4, 1951 (1951-10-04) Running time66 minutesCountryUnited StatesLanguageEnglish Jungle Manhunt is a 19...

 

Album by Iron Butterfly HeavyStudio album by Iron ButterflyReleasedJanuary 22, 1968RecordedOctober 1967StudioGold Star Studios, Hollywood, CANashville West, Hollywood, CAGenre Acid rock psychedelic rock hard rock proto-metal Length30:45LabelAtcoProducerCharles Greene; Brian StoneIron Butterfly chronology Heavy(1968) In-A-Gadda-Da-Vida(1968) Heavy is the debut studio album by the rock band Iron Butterfly, released on January 22, 1968. The first two tracks, Unconscious Power and Possession,...

 

Bobali(de) Bobali, BabalioNegaraRepublik RagusaPembubaran1771 Bobali atau Babalio (dalam Bahasa Italia), disebut juga Bobaljević atau Bobalić dalam Bahasa Kroasia, adalah keluarga bangsawan dari Republik Ragusa. Sejarah Keluarga ini dianggap sebagai salah satu dari mereka yang mendirikan komunitas kuno Dubrovnik. Nama keluarga ini juga terbukti ada dalam berbagai bentuk dan tempat yang berbeda: Baebiblius di dekat Salona, Babuleius, Babullia, Bobuli atau Boboli di Italia. Salah satu etimol...

قورجاق تقسيم إداري البلد إيران[1]  [2] إحداثيات 37°19′55″N 47°37′22″E / 37.331944°N 47.622778°E / 37.331944; 47.622778   الرمز الجغرافي 22417  تعديل مصدري - تعديل   قورجاق هي قرية في مقاطعة ميانة، إيران. عدد سكان هذه القرية هو 242 في سنة 2006.[3] مراجع ^ GeoNames (بالإنجليزية), 2005,...

 

Josephinische Erzherzogliche ABC oder Namenbüchlein 1741 Eine Fibel ist ein meistens bebildertes Anfängerlesebuch, speziell für Kinder zum Lesenlernen. Geläufig ist auch die Bezeichnung ABC-Buch oder Namenbüchlein in Österreich und der Schweiz. Inhaltsverzeichnis 1 Geschichte 2 Verwendung 2.1 Deutschland 2.2 Österreich 2.3 Schweiz 3 Wortentwicklung 4 Literatur 5 Weblinks 6 Nachweise Geschichte Der Vorläufer der heute verwendeten Fibeln und Lesebücher im Mittelalter hieß Abecedarium,...

 

Calitatea informațiilor sau a exprimării din acest articol sau secțiune trebuie îmbunătățită. Consultați manualul de stil și îndrumarul, apoi dați o mână de ajutor.Acest articol a fost etichetat în septembrie 2016 Acest articol sau această secțiune are bibliografia incompletă sau inexistentă. Puteți contribui prin adăugarea de referințe în vederea susținerii bibliografice a afirmațiilor pe care le conține. Lemă, cuvânt de origine greacă, semnifică astăzi, mai a...

Paghimo ni bot Lsjbot. 29°56′04″N 89°12′04″W / 29.93437°N 89.20115°W / 29.93437; -89.20115 Holmes Islands Holmes Islands (historical) Pulo Nasod  Tinipong Bansa Estado Louisiana Kondado Saint Bernard Parish Gitas-on 1 m (3 ft) Tiganos 29°56′04″N 89°12′04″W / 29.93437°N 89.20115°W / 29.93437; -89.20115 Timezone CST (UTC-6)  - summer (DST) CDT (UTC-5) GeoNames 4327691 Pulo ang Holmes Islands sa Tinipo...

 

Der Titel dieses Artikels ist mehrdeutig. Weitere Bedeutungen sind unter Gützkow (Begriffsklärung) aufgeführt. Wappen Deutschlandkarte Basisdaten Koordinaten: 53° 56′ N, 13° 25′ O53.93627713.41182616Koordinaten: 53° 56′ N, 13° 25′ O Bundesland: Mecklenburg-Vorpommern Landkreis: Vorpommern-Greifswald Amt: Züssow Höhe: 16 m ü. NHN Fläche: 57,65 km2 Einwohner: 2974 (31. Dez. 2022)[1] Bevölkerungsdic...

 

Strategi Solo vs Squad di Free Fire: Cara Menang Mudah!