[TriLUG] OT: RSA Securid - how does it work?
flanagannc at gmail.com
Sat Mar 8 15:22:33 EST 2008
I did some RSA SecureID admin for a while, here's the Cliffs notes
version. At least for the most popular tokens from RSA.
The date on the back of the token is an expiration date.
The number on the back of the token above the date is the Serial Number.
With each batch of tokens there is a disc, now a CD, that has the serial
numbers and a seed number for each SN. These are loaded into the server
to "activate" the tokens when you first buy them.
There are also software tokens, Smartphone, PalmOS and Crackberry
varieties, the work basically the same as the hardware tokens.
The server, we have 3 of them at work in a redundant fashion, has a tool
where you assign a token, by SN, to a user ID. From there on the
process is roughly as follows.
- User is issued a token, first use requires the setting up of a
PIN, this can be waived, but isn't normally.
- User goes to a web site, or other app that has been configured to
authenticate by RSA token. and puts in the following info
- Passphrase, this consists of the pin and the token generated
number concatenated together.
(This passphrase meets the standard for "Something you have along with
something you know" to be called 2 factor authentication.)
- The server takes the ID and looks up the serial number, sends that
to the process that generates a number that should match the one that
the token has on it. The reason it knows this is that it has the serial
number, and seed record, and the current time, they share an algorithm
that gens the numbers. In reality the server knows 5 sets of numbers,
the one it believes it should be and two before and two after, so that
you could account for clock drift.
- There is a comparison of what was sent, and what is expected.
Either pass or fail is determined.
- Success or Failure is sent back to the program.
Some of the new devices are USB fobs that can hold certificates for
authentication as well, but there are significant limitations to that.
Keith Woodie wrote:
> I too have one of these for work. The way it was explained to me was
> that the RSA company encodes a set of numbers, a number for every
> minute from the moment it is created until the moment it is supposed
> to expire. The reason they die exactly on the day it says on the back
> is because it simply runs out of numbers. The server at work is
> pre-programmed with the same set of numbers. Once the RSA key is
> registered with the server, both the server and the key begin counting
> down. They typically last for 5years. The longer they last the more
> expensive they are.
> I have a buddy at work that has a bank that gave him one of these keys
> for his online banking. If your interested in secure online banking I
> don't know of a better way.
> On Sat, Mar 8, 2008 at 10:43 AM, William Sutton <william at trilug.org> wrote:
>> I have one of these things for work as well. I don't know the technical
>> implementation details, but this is the information I've come across:
>> - the device keeps changing the number (AFAIK, it isn't a time) every so
>> often, with a counter to show you how much longer it has until the number
>> changes again
>> - when you first activate it, you provide the number and the main server
>> stores the amount of drift betwen your device and what it should be
>> - when you login using it, the server adjusts for drift using that offset
>> - oh, yes...they do die, apparently quite abruptly (self destruct, I
>> I'm curious to see what's inside one, but don't feel like explaining to
>> $WORK what happened if it breaks...
>> William Sutton
>> On Sat, 8 Mar 2008, Barry Gaskins wrote:
>> > Well only RSA knows for sure but they are not publishing any details.
>> > But we can guess at a few things. First of all the date on the
>> > back does not really matter. When you get your key you have to
>> > activate it by waiting until the number changes and then typing in the
>> > number so it only has to be close when you activate it. Also it would
>> > not have to be exact down to the second since it only changes every
>> > minute and it takes a few seconds to type in the number and log in
>> > anyway. If I were writing the software then I would allow the last
>> > number to work for a while after I knew it was supposed to change.
>> > They could even make the window wider depending on how long it was
>> > since the key was "activated".
>> > Of course they would want it to quit working every few years just
>> > to make you pay to buy another one...
>> > - Barry Gaskins
>> > On Sat, Mar 8, 2008 at 9:17 AM, Joseph Mack NA3T <jmack at wm7d.net> wrote:
>> >> I have one of these keys, which gives a different random
>> >> number every minute, so I can logon at work. I'm wondering
>> >> how it keeps synchronisation with the server. Searches on
>> >> google for "RSA Securid how does it work" only come up with
>> >> pages on how to login with it (and shills from RSA telling
>> >> me how wonderful these keys are).
>> >> I assume that the key has a free running crystal oscillator
>> >> in which case the setting and long term drift will not be
>> >> better than 1:10^6 and it would go out of synch in 2yrs
>> >> (60*10^6 secs). Mine has a date of Nov 2003 on the back, so
>> >> presumably it's been running for 4 years. Assuming the
>> >> battery will last 10yrs, this would mean that the accuracy
>> >> of the crystal would have to be 1:10^7 to maintain synch
>> >> over this time. This tolerance is a bit tighter than I would
>> >> expect is possible.
>> >> Anyone know how these things keep synchronised with the
>> >> server?
>> >> Thanks Joe
>> >> --
>> >> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
>> >> jmack (at) wm7d (dot) net - azimuthal equidistant map
>> >> generator at http://www.wm7d.net/azproj.shtml
>> >> Homepage http://www.austintek.com/ It's GNU/Linux!
>> >> --
>> >> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> >> TriLUG Organizational FAQ : http://trilug.org/faq/
>> >> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> > --
>> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> > TriLUG Organizational FAQ : http://trilug.org/faq/
>> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
More information about the TriLUG