RE: securid AES tokens

[Vin McLellan <vin () theworld com>]

        ArkanoiD <<mailto:ark%40eltex.net>ark_at_eltex.net> recently 
queried the List from St. Petersburg, Rossiyskaya Federatsiya:

>niqneH,
>
> Does anyone know exactly how do AES securid tokens work?
>Are those still time-based?


Privet ArkanoiD,

        Glad to help.  All versions of the SecurID use RSA's patented 
technology to synchronize the use of Current Time in a SecurID token and 
its remote authentication server, what RSA calls the 
ACE/Server.  (Typically, as you know, the link between the token-holder and 
the ACE/Server is through an intermediary -- an ACE/Agent or RADIUS agent 
-- which intercepts an authentication call and relays it to the ACE/Server 
for processing.)

        The classic SecurID, for 15 years, used a proprietary algorithm to 
hash a token-specific 64-bit seed and Current Time. The new SecurID -- 
introduced at the beginning of 2003 -- uses the AES block cipher, in 
standard ECB mode, to hash:

- a 128-bit token-specific true-random seed,
- a 64-bit standard ISO representation of Current Time 
(yr/mo/day/hour/min/second),
- a 32-bit token-specific salt (the serial number of the token), and
- another 32 bits of padding, which can be adapted for new functions or 
additional defensive layers in the future.

        Conflated and hashed by the AES, these inputs generate the series 
of 6-8 digit (or alphanumeric) token-codes that are continuous displayed on 
the SecurID's LCD, rolling over every 60 seconds. (The standard mode of 
use, as you know, requires two-factor authentication: the token-holder is 
required to provide both a SecurID token-code and a user-memorized PIN to 
the remote ACE/Server.)

        ECB mode in AES is executed on 128-bit blocks, of course, so it is 
obvious that RSA had to pad the standard 64-bit expression of Current Time 
with another 64 bits.  Using a token-specific salt blocks any attempt to 
pre-calculate a library of possible token-codes for all 128-bit seeds. That 
means that any brute-force attack on the AES SecurIDs would have be focused 
on a particular token.

        ArkanoiD also asked:

> Can i work with those without using ACE
> server(assuming US patent law does not apply for me)? Can i do it if
> it does?

        Interesting questions. The relevant RSA patent, of course, is on 
the server-based mechanism used to track and adjust to any relative "drift" 
in the clocks used in the ACE/Server and individual SecurID authentication 
tokens. (This "time-synch" scheme allows the authentication server to track 
any offset necessary to synchronize the version of Current Time it uses to 
calculate the token-code displayed on any particular token, at this 
particular minute.)  I'm a little unclear about how or why you might want 
to "work with" RSA SecurIDs without an ACE/Server, but there are certainly 
tokens available on the open market and, AFAIK, no overt constraints on 
those who buy them.

        If you are asking whether -- patent issues aside --  it is 
technically feasible to copy the basic functionality of a time-synched 
authentication token that uses AES, and then to create your own 
authentication server that will recognize and respond to it -- sure!  For 
at a (copyrighted) template, you can even download, free, the SecurID code 
modules (AES and all!) for Palms, Pocket PCs, Blackberries, various phones, 
etc.., from RSA's website at: 
<http://www.rsasecurity.com/products/securid/software_token.html>

        What you can't do is use ersatz tokens on a RSA ACE/Server.

        Access to the ACE/Server's authentication functions are restricted 
not by the token's internal architecture -- which, distributed in software, 
obviously can't be much of a secret -- but rather by RSA's control over 
which *seeds* can be registered (as associated with particular SecurIDs) on 
a particular ACE/Server.

        RSA digitally signs all of its seed-files before it ships them, 
with each batch of new SecurIDs, to a customer -- and RSA ACE/Servers will 
only register SecurID seeds which have been signed by RSA.

        Schast'ya i zdorov'ya!

                _Vin

        PS. I've been a consultant to RSA, off and on, for years, and for 
much of that time, I've been intrigued by your salutation. "NiqneH," in the 
Klingon warrior language, translates as both "hello" and a brusque demand: 
"What do you want?" That reminds me of a lot of people. I've never doubted 
that firewall wizards, and infosec pros in general, have more in common 
with those big-browed Roddenberry warriors than with the ascetic Vulcans -- 
so why do the Vulcans always end up as the Starship Science Officers?


---------------------------------------------------------------
     Vin McLellan + The Privacy Guild + <vin () theworld com>
          22 Beacon St., Chelsea, MA 02150-2672 USA