 | |
| Website | https://www.rsa.com/en-us/products/rsa-securid-suite |
|---|---|
RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.
| | |
| Website | https://www.rsa.com/en-us/products/rsa-securid-suite |
|---|---|
RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.
The RSA SecurID authentication mechanism consists of a "token"—either hardware (e.g. a key fob) or software (a soft token)—which is assigned to a computer user and which creates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded almost random key (known as the "seed"). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server [1] ) as the tokens are purchased. [2] On-demand tokens are also available, which provide a tokencode via email or SMS delivery, eliminating the need to provision a token to the user.
The token hardware is designed to be tamper-resistant to deter reverse engineering. When software implementations of the same algorithm ("software tokens") appeared on the market, public code had been developed by the security community allowing a user to emulate RSA SecurID in software, but only if they have access to a current RSA SecurID code, and the original 64-bit RSA SecurID seed file introduced to the server. [3] Later, the 128-bit RSA SecurID algorithm was published as part of an open source library. [4] In the RSA SecurID authentication scheme, the seed record is the secret key used to generate one-time passwords. Newer versions also feature a USB connector, which allows the token to be used as a smart card-like device for securely storing certificates. [5]
A user authenticating to a network resource—say, a dial-in server or a firewall—needs to enter both a personal identification number and the number being displayed at that moment on their RSA SecurID token. Though increasingly rare, some systems using RSA SecurID disregard PIN implementation altogether, and rely on password/RSA SecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, authenticates a user by computing what number the token is supposed to be showing at that moment in time and checking this against what the user entered.
On older versions of SecurID, a "duress PIN" may be used—an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication. [6] Using the duress PIN would allow one successful authentication, after which the token will automatically be disabled. The "duress PIN" feature has been deprecated and is not available on currently supported versions.
While the RSA SecurID system adds a layer of security to a network, difficulty can occur if the authentication server's clock becomes out of sync with the clock built into the authentication tokens. Normal token clock drift is accounted for automatically by the server by adjusting a stored "drift" value over time. If the out of sync condition is not a result of normal hardware token clock drift, correcting the synchronization of the Authentication Manager server clock with the out of sync token (or tokens) can be accomplished in several different ways. If the server clock had drifted and the administrator made a change to the system clock, the tokens can either be resynchronized one-by-one, or the stored drift values adjusted manually. The drift can be done on individual tokens or in bulk using a command line utility.
RSA Security has pushed forth an initiative called "Ubiquitous Authentication", partnering with device manufacturers such as IronKey, SanDisk, Motorola, Freescale Semiconductor, Redcannon, Broadcom, and BlackBerry to embed the SecurID software into everyday devices such as USB flash drives and cell phones, to reduce cost and the number of objects that the user must carry. [7]
Token codes are easily stolen, because no mutual-authentication exists (anything that can steal a password can also steal a token code). This is significant, since it is the principal threat most users believe they are solving with this technology.
The simplest practical vulnerability with any password container is losing the special key device or the activated smart phone with the integrated key function. Such vulnerability cannot be healed with any single token container device within the preset time span of activation. All further consideration presumes loss prevention, e.g. by additional electronic leash or body sensor and alarm.
While RSA SecurID tokens offer a level of protection against password replay attacks, they are not designed to offer protection against man in the middle type attacks when used alone. If the attacker manages to block the authorized user from authenticating to the server until the next token code will be valid, he will be able to log into the server. Risk-based analytics (RBA), a new feature in the latest version (8.0) provides significant protection against this type of attack if the user is enabled and authenticating on an agent enabled for RBA. RSA SecurID does not prevent man in the browser (MitB) based attacks.
SecurID authentication server tries to prevent password sniffing and simultaneous login by declining both authentication requests, if two valid credentials are presented within a given time frame. This has been documented in an unverified post by John G. Brainard. [8] If the attacker removes from the user the ability to authenticate however, the SecurID server will assume that it is the user who is actually authenticating and hence will allow the attacker's authentication through. Under this attack model, the system security can be improved using encryption/authentication mechanisms such as SSL.
Although soft tokens may be more convenient, critics indicate that the tamper-resistant property of hard tokens is unmatched in soft token implementations, [9] which could allow seed record secret keys to be duplicated and user impersonation to occur.
Hard tokens, on the other hand, can be physically stolen (or acquired via social engineering) from end users. The small form factor makes hard token theft much more viable than laptop/desktop scanning. A user will typically wait more than one day before reporting the device as missing, giving the attacker plenty of time to breach the unprotected system. This could only occur, however, if the user's UserID and PIN are also known. Risk-based analytics can provide additional protection against the use of lost or stolen tokens, even if the user's UserID and PIN are known by the attackers.
Batteries go flat periodically, requiring complicated replacement and re-enrollment procedures.
As of 2003, RSA SecurID commanded over 70% of the two-factor authentication market [10] and 25 million devices have been produced to date.[ citation needed ] A number of competitors, such as VASCO, make similar security tokens, mostly based on the open OATH HOTP standard. A study on OTP published by Gartner in 2010 mentions OATH and SecurID as the only competitors. [11]
Other network authentication systems, such as OPIE and S/Key (sometimes more generally known as OTP, as S/Key is a trademark of Telcordia Technologies, formerly Bellcore) attempt to provide the "something you have" level of authentication without requiring a hardware token.[ citation needed ]
On 17 March 2011, RSA announced that they had been victims of "an extremely sophisticated cyber attack". [12] Concerns were raised specifically in reference to the SecurID system, saying that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation". However, their formal Form 8-K submission [13] indicated that they did not believe the breach would have a "material impact on its financial results". The breach cost EMC, the parent company of RSA, $66.3 million, which was taken as a charge against second quarter earnings. It covered costs to investigate the attack, harden its IT systems and monitor transactions of corporate customers, according to EMC Executive Vice President and Chief Financial Officer David Goulden, in a conference call with analysts. [14]
The breach into RSA's network was carried out by hackers who sent phishing emails to two targeted, small groups of employees of RSA. [15] Attached to the email was a Microsoft Excel file containing malware. When an RSA employee opened the Excel file, the malware exploited a vulnerability in Adobe Flash. The exploit allowed the hackers to use the Poison Ivy RAT to gain control of machines and access servers in RSA's network. [16]
There are some hints that the breach involved the theft of RSA's database mapping token serial numbers to the secret token "seeds" that were injected to make each one unique. [17] Reports of RSA executives telling customers to "ensure that they protect the serial numbers on their tokens" [18] lend credibility to this hypothesis.
Barring a fatal weakness in the cryptographic implementation of the token code generation algorithm (which is unlikely, since it involves the simple and direct application of the extensively scrutinized AES-128 block cipher), the only circumstance under which an attacker could mount a successful attack without physical possession of the token is if the token seed records themselves had been leaked.[ citation needed ] RSA stated it did not release details about the extent of the attack so as to not give potential attackers information they could use in figuring out how to attack the system. [19]
On 6 June 2011, RSA offered token replacements or free security monitoring services to any of its more than 30,000 SecurID customers, following an attempted cyber breach on defense customer Lockheed Martin that appeared to be related to the SecurID information stolen from RSA. [20] In spite of the resulting attack on one of its defense customers, company chairman Art Coviello said that "We believe and still believe that the customers are protected". [21]
In April 2011, unconfirmed rumors cited L-3 Communications as having been attacked as a result of the RSA compromise. [22]
In May 2011, this information was used to attack Lockheed Martin systems. [23] [24] However Lockheed Martin claims that due to "aggressive actions" by the company's information security team, "No customer, program or employee personal data" was compromised by this "significant and tenacious attack". [25] The Department of Homeland Security and the US Defense Department offered help to determine the scope of the attack. [26]
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.
A smart card (SC), chip card, or integrated circuit card, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.
RSA Security LLC, formerly RSA Security, Inc. and trade name RSA, is an American computer and network security company with a focus on encryption and encryption standards. RSA was named after the initials of its co-founders, Ron Rivest, Adi Shamir and Leonard Adleman, after whom the RSA public key cryptography algorithm was also named. Among its products is the SecurID authentication token. The BSAFE cryptography libraries were also initially owned by RSA. RSA is known for incorporating backdoors developed by the NSA in its products. It also organizes the annual RSA Conference, an information security conference.
A personal identification number (PIN), or sometimes redundantly a PIN number or PIN code, is a numeric passcode used in the process of authenticating a user accessing a system.
A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Replay attacks are usually passive in nature.
Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.
A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.
A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless keycards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing a transaction such as a wire transfer.
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.
Logical security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.
A software token is a piece of a two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated.
Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.
Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) using the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238.
LinOTP is Linux-based software to manage authentication devices for two-factor authentication with one time passwords. It is implemented as a web service based on the python framework Pylons. Thus it requires a web server to run in.
multiOTP is an open source PHP class, a command line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the LGPL license. Starting with version 4.3.2.5, multiOTP open source is also available as a virtual appliance—as a standard OVA file, a customized OVA file with open-vm-tools, and also as a virtual machine downloadable file that can run on Microsoft's Hyper-V, a common native hypervisor in Windows computers.
The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support.
Nitrokey is an open-source USB key used to enable the secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. The hardware and software of Nitrokey are open-source. The free software and open hardware enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, macOS, Linux, and BSD.
Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.
Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.
[...] the RSA ACE/Server®, which has been renamed to the Authentication Manager.
Gartner's expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time. ... If the organization does not need the extensive platform support, then OATH-based technology is likely a more cost-effective choice.
