Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security IT

Researchers Can Generate RSA SecurID Random Numbers Flawlessly 98

Posted by Soulskill from the everybody-needs-a-hobby dept.
Fluffeh writes "A researcher has found and published a way to tune into an RSA SecurID Token. Once a few easy steps are followed, anyone can generate the exact numbers shown on the token. The method relies on finding the seed that is used to generate the numbers in a way that seems random. Once it is known, it can be used to generate the exact numbers displayed on the targeted Token. The technique, described on Thursday by a senior security analyst at a firm called SensePost, has important implications for the safekeeping of the tokens. An estimated 40 million people use these to access confidential data belonging to government agencies, military contractors, and corporations. Scrutiny of the widely used two-factor authentication system has grown since last year, when RSA revealed that intruders on its networks stole sensitive SecurID information that could be used to reduce its security. Defense contractor Lockheed Martin later confirmed that a separate attack on its systems was aided by the theft of the RSA data."
This discussion has been archived. No new comments can be posted.

Researchers Can Generate RSA SecurID Random Numbers Flawlessly More

Researchers Can Generate RSA SecurID Random Numbers Flawlessly

Comments Filter:

  • Didn't Lockheed just... (Score:2, Interesting)

    by LostMyBeaver ( 1226054 ) on Tuesday May 22, 2012 @02:32PM (#40078997)
    Score a major government security contract?

    Never understood why the hell companies like Lockheed score multi billion dollar deals that they are thoroughly unsuited for.

  • Re:Unsurprising, since... (Score:5, Interesting)

    by idontgno ( 624372 ) on Tuesday May 22, 2012 @03:23PM (#40079545) Journal

    I know this is Slashdot, but this thread is taking "TL;DR" to whole new places.

    The news isn't that RSA's algorithm is out in the wild. Without the account-specific sequence generation seed value, the algo is worthless.

    The news is that the researches have examined the Windows software version of the access code generator ("software token") and figured out how to extract the seed value out of a specific installation. With that seed value, you can take another copy of the software token and clone the key generation sequence of the first, allowing you to spoof the other token's identity.

    This is why most RSA installations I know of also require the use of a PIN concatenated with the token-generated number. That way, coaxing the code out of the software token isn't enough to authenticate as the identity of the person the token is assigned to; you have to guess the PIN as well (maybe by looking under keyboards).

    I guess the real story is "soft tokens don't protect their internal secrets as well as hardware tokens".

  • Re:Not exactly... (Score:5, Interesting)

    by Cramer ( 69040 ) on Tuesday May 22, 2012 @03:27PM (#40079585) Homepage

    It's my understanding of the system (from dealing with one years ago)... the server can recover the seed used by a hardware token given it's serial number, and two sequential tokens. Perhaps the serial number is the "seed" and it's figuring out the tokens clock. However, it's perfectly clear the server can generate the same numbers as the token. The strength of the system is keyed to protecting that algorithm. Soft-tokens are a bad joke and only slightly better than a password, but are themselves based on a "password".

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close