RSA Security Inc. joined Microsoft to deliver stronger security for Microsoft environments by replacing static passwords with strong, two-factor authentication.
RSA Security And Microsoft Bring Strong Authentication To Windows
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
This isnt new, my dad at GE has had this little thing for years, i thought it was quite cool the first time i saw it. I still dont get how if the device can generate a passwords the server recognises, how a cracker cant reverse engineer the device to see what algorithm generates the password, and thus invalidate all of them. There didnt appear to be anything user specific about the device itself, and it didnt have anyway of modifying it to upload a private key to generate these passwords off.
This isn’t new indeed, it has been around for a long time. But I think they added better integration with windows.
The design of the securid is actually quite simple. It contains a secretkey that rsa puts in it when it’s made, this key can’t be changed and has to be linked to your account. The securid uses this key in combination with the current time to generate a hash which can be used to identify you. A hash is easy to generate but will take a lot of work to reverse the operation.
The fact that the password exists for 60 seconds leaves you open to sniffer and replay attacks, doesn’t it?
Then again, I work for the competition – http://www.cryptocard.com/ and our stuff is generally better (cheaper, more secure, etc. and the keychain style tokens are made of STEEL, have replaceable batteries, and don’t need to be repurchased, ever).
– chrish
hang on, isn’t the win2k logon encryption in RSA MD5 hash algorithm? is the us version of windows use 128-bit key where as rest of the world is 64?
Hey it’s great that winbloze is getting this, when linux has had s/key and opie for ages. And now with various stackguard mechanisms, wow windoze is showing promise.
All flamebait aside, RSA securid has some weaknesses. First the window can increase to 10 min, and the token change may occur every 30 seconds. So the 1/1,000,000 drops to 1/25,000. Granted this is worse case scenario.
Banks have to conform to the X 9.9 standard of 1 in one million. They prob use 8 digit alphanumeric, time-dependent or event-synchronous. I have some gripes about event-synchronous, but that’s a long story.
However, printing out a page of OTP isn’t fun either. I wish I could afford securid or challenge-response tokens.
“The fact that the password exists for 60 seconds leaves you open to sniffer and replay attacks, doesn’t it?”
You know that the tokens are generally one time only. So sniffing and replaying till ur blue in the face won’t generally work. You’d have to intercept the OTP, scam the OTP, or something of that nature. I’m not saying it can’t be done, but how is ur company’s token much better? (challenge-response maybe?) There may be some cases where the token could work on diff machines, thus be reused, i dunno and suspect it would depend on the implementation. With unencrypted sessions, you could also use session hijacking. I think most companies using OTP would also use encryption though.
There’s another weakness in Securid. Supposedly (i have not verified this) you can take a token and within a few weeks, be able to guess future tokens. This means you can’t reuse old tokens for new employees. I know mudge and schneier found some weaknesses, but i was suprised someone developed a working attack on the RSA algo. This is one reason “open-source” is probably good in crypto vs using proprietary algos.
“hang on, isn’t the win2k logon encryption in RSA MD5 hash algorithm?”
I forget. The LM hash was developed by IBM. I don’t know who did NTLM. The newer version is more secure, but local attacks with fast cpu’s can crack most stuff anyway. The bad part about LM was that you can separate it into two 7 char passes, which makes it easier. The bad part about both, is that salts are not used.
“is the us version of windows use 128-bit key where as rest of the world is 64?”
I don’t know that it much matters. You generally acquire the hashes (in any number of ways) then brute force the passspace. Most passwords will fall in the hybrid (mod dictionary) phase of the attack. This is the advantage of using one time pass, like cryptocard (?) or securid.
Not only that. My company uses these and then transfers all the data over unencrypted channels. What’s the point of having strong authentication when my valuable data is floating across the internet? The only reason I have a password is to protect my data, not make sure someone doesn’t login as me and send an email. I swear most people who buy this stuff are idiots.
I would only implement something with this sort of technology once I had ALL my other bases covered, as extra protection. Never as the only protection.
I dunno who you work for. But in the case of AOL, there was a significant amount of problems with priviledged accounts being cracked. I think this is why SecurID was implemented. (In addition to some other stuff.) This was covered on Slashdot and other sites years ago.
In fact, loads of corps use time-synchronous and related tokens. The govt (and I’d assume military) makes extensive use of 2 and 3 factor auth. Given the money people spend on overpriced, and overrated, firewalls and IDS, I think a few bucks spent on auth is reasonable.
Anyway, if you want REAL progress, the community should move to a non-disclosure system. This would substantially reduce the number of network worms and script kiddies. I hope people finally realize that Norton, Securityfocus, and Bugtraq are the part of the problem, not the solution.