Myth 6: RSA SecurID provides a secure connection.

Posted: December 12, 2011 in SSL
Tags: , , , , , ,

Today’s SSL myth tackles the topic of RSA SecurID. The prevailing myth is that RSA SecurID provides a secure connection – but of course, this isn’t so.  The RSA SecurID token authentication system is a two-factor authentication method, which is the most common secure access method in the U.S. with 40 million users. The RSA SecurID token authentication method uses the RSA ACE Server, which is a clock synchronization key scheme. It works on a timing frequency that changes the token keys so that they never seem to be the same. The frequency and the seed key were both found on the RSA ACE Server, which was hacked by perpetrators on March 18, 2011.

Here is the way one inventor describes the scheme in his patent granted in 2008: “The pseudorandom token codes are only valid during a short time that they are displayed (e.g. 30 seconds). A hash function that generates the pseudo-random token code takes a current time and a secret key as inputs. The secret key is provided to the token by the manufacturer and then provided to the authentication server. ”

This scheme makes the authentication system very time sensitive. If an authentication server and
token have clocks that diverge, the system quickly breaks. Also, the security of the leading hash function has been called into question.” The inventor is referring to a detailed cryptanalysis study by Springer-Verlag, 2003. These researchers found that the block cipher at the heart of the RSA SecurID hash function can be broken in a few milliseconds using a 2003-vintage PC.  Once again, myth debunked.

Source: EMC Corporation

  1. Andrew Yeomans says:

    I think you will find that the 2003 cryptanalysis was for the older 64-bit SecureID tokens. Newer tokens claim to use 128-bit AES-based function which should be much harder to break.
    The system is designed to allow for divergent clocks, and will re-synchronise when a code is used. The frequency of change is not a secret either – the tokens have a count-down warning. All the ones I’ve seen change every 60 seconds.

    Even after the hack attack, SecureID still provides security. Firstly, because only the hackers and their employers have access to the seed files, other criminals don’t. Secondly, because they don’t know which actual token you have, unless you foolishly reveal the serial number, or if they have compromised your computer and can try to guess which serial number you have, from the occasions when you enter a token value.

  2. […] The details of how this combination is dismantled as a security model are explained in Myth 3 and Myth 6 in our series on debunking SSL myths. Suffice it to say that Skype is not nearly as secure as […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s