Comments on: The RSA/SecurID Compromise: What is my risk?

By: Myguess

Myguess — Wed, 06 Apr 2011 01:22:13 +0000

I’ll go with #4 – the master seed theory. It seems too tempting to eliminate the need to track millions of seeds. Likely there is no single master seed because that would be stupid. My guess is that there is a new master seed used for every lot manufactured and the list of those seeds are what get stored and what was compromised. Since the hardware tokens are only good for a couple years, assuming the breach has been rectified, that’s how long the bad guys have until the stolen seeds are useless. RSA is advising using good pins and probably just crossing their fingers for the next two years.

By: RSA Explains How It Was Hacked, But Is Still Mum On The Nature of Data Stolen | Arik Hesseldahl | NewEnterprise | AllThingsD

Mon, 04 Apr 2011 14:02:23 +0000

[...] the constantly changing numeric codes that appear on the device’s display. For instance, in one scenario described by David Scheutz of the Intrepidus Group, the attackers might have found a list of seeds [...]

By: Top 3 NoVA Infosec Blog Posts of the Week | NovaInfosecPortal.com

Top 3 NoVA Infosec Blog Posts of the Week | NovaInfosecPortal.com — Fri, 25 Mar 2011 14:01:52 +0000

[...] about it other than it’s a post that looks at the risks of RSA/SecurID being compromised. Click here for more [...]

By: incognito

incognito — Wed, 23 Mar 2011 22:10:49 +0000

I wouldn’t say it’s better, but it’s lower-level and a nice complement to this discussion. Thanks for the link.

By: jgajek

jgajek — Tue, 22 Mar 2011 20:38:05 +0000

The reasoning for RSA keeping a database of token seeds is as follows:

1) The token seeds are truly random, i.e. there is no way to compute them based on any information about the token, customer, etc.

2) The token seeds are injected into the tokens during production.

3) The token seeds need to be loaded into the customer’s Authentication Manager server so that it is able to process logins for those tokens.

4) The tokens need to be distributed to the customer through a third-party vendor, who must not have access to the token seeds.

It follows that the process must be such that the customer, upon receiving the physical tokens from a third-party vendor, then contacts RSA directly with the serial numbers of the tokens they purchased, and obtains the token seed records from their database.

At this point, RSA could theoretically delete the token seeds for the customer’s tokens (and apparently can be requested to do so), but most customers do not make that request. Instead, the token records are kept in RSA’s database in case the customer ever needs them again (e.g. to rebuild a crashed authentication server).

By: Steve

Steve — Tue, 22 Mar 2011 14:07:27 +0000

For reference, in response to a comment above, RSA state that the algorithm they use is "built upon the Advanced Encryption Standard (AES) algorithm". http://www.rsa.com/node.aspx?id=3050

By: Hackers break into RSA’s network and steal SecurID data « Security Place

Hackers break into RSA’s network and steal SecurID data « Security Place — Sun, 20 Mar 2011 03:21:40 +0000

[...] Intrepidus Group published a great overview of the possible impact of this exploit and describing the four or five possible [...]

By: Darth Null

Darth Null — Sat, 19 Mar 2011 20:44:18 +0000

First, thanks for the great responses!

jgajek: I’ve read that they use AES, but hadn’t seen anything authoritative I could cite. For this analysis, though, the algorithm doesn’t matter — the risks depend on whether seeds were compromised.

Also, I still don’t see why RSA would need to keep a database of seeds. It’s been argued that they’re necessary in case a customer loses their copies, but that’s why they should have backups. You’ve mentioned scalability, but I’m not sure I follow that. Finally, some might say a list of issued seeds is needed to avoid duplicate tokens, but with a 128-bit space, the chances of that happening are so infitissemally small that I’m not sure it’s even worth protecting against.

Truth is, if I were an RSA customer, using SecurID to protect high-value systems, I wouldn’t want anyone other than my own people having access to any seed values. Ever.

Anonymous (1): The algorithm isn’t public, and I don’t know it firsthand, so I felt it wrong to be too specific in how I described it. I’ve seen speculation that it’s time-based, and since “time is an arrow,” the end result will still be a pre-determined sequence of numbers. Further, I don’t know if it’s based on clock time, or simply the time since the token was powered on.

I didn’t explain my (theoretical) attack in detail, so here’s a quick description:

1. Observe two consecutive tokencodes, possibly by performing a man-in-the-middle attack, or directing the target to a fake login page. This also gets the attacker the PIN, which they’d need later.

2. Presume some list of seed values has been compromised. This could be a list of actual issued seeds, or a way to generate them which significantly reduces the valid seed attack space.

3. For each seed on that list (or reduced seed space), iterate the algorithm forward until you see the two tokencodes recorded in step 1. Set a limit for how far you’ll go forward — a token which changes every 30 seconds would display just over 5.25 million codes in 5 years, so that’s probably a good place to stop.

4. If you didn’t find the code, go to the next seed, and do it again.

I’ve personally had tokens “re-synchronized” by providing two consecutive codes to customer support, so that kind of drove my understanding of the system. (Or at least that’s how I recall it — it’s been a while). When activating a new token, a similar step would be performed, essentially, establishing a known good offset between the arbitrary “token time” and real clock time.

However, if tokens use absolute clock time, then it actually makes the attack easier. In this case, the attackers only need to observe a single tokencode, note the time, and simply try all known seed values against that time value.

Finally, thanks to Anonymous (3) for the link to Bellovin’s analysis. He pretty clearly explained a lot of what I’ve been thinking, or trying to describe here, but did it in nice, clean, mathematical terms. Unfortunately, he also doesn’t know any more than the rest of us about how the actual algorithm works, nor what data RSA may store on their systems. In the end, though, I believe bitexploder was correct — Bellovin’s analysis is saying the same thing we are, just in different terms, for different audiences.

Again, thanks for your comments…keep ‘em coming!

By: RSA Security Breach Demands Caution « Breaking News « Theory Report

RSA Security Breach Demands Caution « Breaking News « Theory Report — Sat, 19 Mar 2011 20:00:31 +0000

[...] countenance that a chairman logging in, indeed has a token in their possession, Intrepidus said in a blog post today [...]

By: bitexploder

bitexploder — Sat, 19 Mar 2011 15:44:14 +0000

To Anonymous regarding the numbers not being predetermined. For any given point in time the token code must be predictable. So, if you were to record a tokencode every second for a given seed it would be the same tokencode stream the server has. The server will know every token code in the future as well due to this. You can pick any specific point in time with a given seed and that token will not change as long as these algorithms are relying on a shared secret and the time as the only two basic inputs. Very basic things about these tokens would not work if the stream were not predictable for a given seed. The seed is the shared secret and magic. After that everything is predictable (but the seed is theoretically very hard to guess).

Regarding professor Bellovin’s analysis, I feel we were addressing the same concerns for different audiences. We were aiming for a higher level risk analysis this time vs. digging into the technical details.

Thanks,

@bitexploder