How secure is RSA’s SecurID?
The incidents at Lockheed Martin, L-3 Communications and Northrop Grumman seem to originate from a breach in which data was stolen related to RSA’s SecurID two-factor authentication devices, which are widely used by US government agencies, contractors and banks to secure remote access to sensitive networks.
Finally RSA Security Company is going to replace about 40 million SecurID tokens. Each type of RSA SecurID hardware token is identical in manufacture, apart from the unique printed serial number. It is then initialised with a secret ‘seed’ value, and a cryptographically protected copy of that seed value is sent to the token purchaser to install into their authentication server. An algorithm (based on AES in new devices) uses that seed value combined with the internal clock to generate the numbers displayed. Normally customers buy a large batch of tokens at one time, and receive a file containing that batch of seed values.
Software tokens are similar, except that one copy of the secret seed is installed into the software token, and another into the authentication server. The main difference from the hardware tokens is that the cryptography makes it very difficult for the customer to generate their own seeds, protecting RSA’s revenue.
In both cases, once installed on the authentication server, most of the cryptographic protection of the seed values could be removed by anyone with sufficient time and effort to reverse engineer the code, and in fact the previous secret 64-bit algorithm was revealed about 10 years ago through such reverse engineering.
RSA said Lockheed planned to continue using the SecurID tokens, but security experts believe RSA’s reputation has been damaged. Many of RSA’s 25,000 customers could face difficult decisions about what to do next, according to the New York Times.
Lockheed announced it is replacing 45,000 SecurID tokens held by remote workers. Lockheed says it is adding a further step to the sign-on process and all users will change their passwords.
RSA has been reluctant to specify what data was stolen in March, but the time has come to say exactly what was stolen and give clear guidance to customers on what they should do, says Mikko Hypponen, chief research officer at F-Secure.
All users of RSA SecurID tokens should assume the worst and consider replacing them, Mikko Hypponen advises.
make sure you subscribe to my RSS feed!