Today’s SSL myth tackles the topic of RSA SecurID. The prevailing myth is that RSA SecurID provides a secure connection – but of course, this isn’t so. The RSA SecurID token authentication system is a two-factor authentication method, which is the most common secure access method in the U.S. with 40 million users. The RSA SecurID token authentication method uses the RSA ACE Server, which is a clock synchronization key scheme. It works on a timing frequency that changes the token keys so that they never seem to be the same. The frequency and the seed key were both found on the RSA ACE Server, which was hacked by perpetrators on March 18, 2011.
Here is the way one inventor describes the scheme in his patent granted in 2008: “The pseudorandom token codes are only valid during a short time that they are displayed (e.g. 30 seconds). A hash function that generates the pseudo-random token code takes a current time and a secret key as inputs. The secret key is provided to the token by the manufacturer and then provided to the authentication server. ”
This scheme makes the authentication system very time sensitive. If an authentication server and
token have clocks that diverge, the system quickly breaks. Also, the security of the leading hash function has been called into question.” The inventor is referring to a detailed cryptanalysis study by Springer-Verlag, 2003. These researchers found that the block cipher at the heart of the RSA SecurID hash function can be broken in a few milliseconds using a 2003-vintage PC. Once again, myth debunked.
Source: EMC Corporation