1 / 14

RSA SecurID ® Authentication

RSA SecurID ® Authentication. Ellen Stuart CS265 Cryptography and Computer Security Fall 2004. Agenda. Introduction Components Tokens Server Algorithm Weaknesses Comparison Conclusion. Introduction. RSA SecurID ® Authentication History of the RSA and SecurID ®

nova
Télécharger la présentation

RSA SecurID ® Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RSA SecurID® Authentication Ellen Stuart CS265 Cryptography and Computer Security Fall 2004

  2. Agenda • Introduction • Components • Tokens • Server • Algorithm • Weaknesses • Comparison • Conclusion E.Stuart

  3. Introduction • RSA SecurID® Authentication • History of the RSA and SecurID® • Two Factor Authentication • Customer List • NSA • CIA • White House E.Stuart

  4. Components of the SecurID® System • Tokens • Authentication Server • Algorithm E.Stuart

  5. Components of the SecurID® System • Tokens • Issued to users • Each token had a unique 64 bit seed value • “Something the user has” • Software Token • Does not require separate Device • User required to use PIN to access pass code Hardware Token User required to login in with PIN and displayed pass code PINPAD User required to use PIN to access pass code Key Fob User required to login in with PIN and displayed pass code E.Stuart

  6. Components of the SecurID® System • Authentication Server • Maintains database of user assigned tokens • Generates pass code following the same algorithm as the token • Seed – similar to symmetric key E.Stuart

  7. SecurID Login Users issued tokens RSA Authentication Server Internet E.Stuart

  8. Components of the SecurID® System • Algorithm • Brainard’s Hashing Algorithm • AES Hashing Algorithm E.Stuart

  9. Components of the SecurID® System • Brainard’s Hashing Algorithm • Secret key := unique seed value • Time := 32 bit count of minutes since January 1, 1986 E.Stuart

  10. Components of the SecurID® System • ASHF description of Brainard’s Hashing Algorithm Each round -> 64 sub-rounds E.Stuart

  11. Weaknesses of the SecurID® System • Violation of Kerckhoff’s Principle • Publication of the alleged hash algorithm • Key Recovery Attack (Biryukov, 2003; Contini, 2003) • AES Implementation • Human Factors E.Stuart

  12. Comparison to Password Systems • Password systems are built-in, no additional implementation cost? • Administration Costs • Security Costs • SecurID • No need to regularly change passwords • No changes as long as tokens uncompromised (and hash function) E.Stuart

  13. Conclusion • Former implementation of SecurID supports Kerckhoff’s principle • RSA phasing out versions with Brainard’s Hash Function E.Stuart

  14. References • Mudge, Kingpin, Initial Cryptanalysis of the RSA SecurID Algorithm, January 2001 • www.atstake.com/research/reports/acrobat/initialsecuridanalysis.pdf • V. McLellan; Firewall Wizards: RE: securid AES tokens, http://www.insecure.org, Apr 26 2004, retrieved November 2004F. Muhtar, Safer means to use passwords, Computimes, NSTP, Feb 13th 2003, retrieved November 2004 from http://www.transniaga.com/Default.htm • S. Contini, Y.L. Yin, Improved Cryptanalysis of SecurID, Cryptology ePrintArchive, Report 2003/205, http://eprint.iacr.org/2003/205, October 21, 2003. • V. McLellan, Re: SecurID Token Emulator, post to BugTraq, http://cert.uni- • stuttgart.de/archive/bugtraq/2001/01/msg00090.html • I.C. Wiener, Sample SecurID Token Emulator with Token Secret Import, post to • BugTraq, http://www.securityfocus.com/archive/1/152525 • The Authentication Scorecard, White Paper, RSA Security, Inc, http://www.rsasecurity.com, retrieved November 2004. • Protecting Against Phishing by Implementing Strong Two-Factor Authentication, White Paper, RSA Security, Inc, http://www.rsasecurity.com, retrieved November 2004. • Are passwords Really Free? A closer look at the hidden costs of password security, White Paper, RSA Security, Inc, http://www.rsasecurity.com, retrieved November 2004. • RSA Laboritories, FAQ Version 4.1, May 2000 RSA Security, Inc, http://www.rsasecurity.com. • G. Welsh; Breaking the Code, Macquarie University News Feature, March 2004. Retrieved November 2004, from http://www.pr.mq.edu.au/macnews. • Biryukov, J. Lano, and B. Preneel; Cryptanalysis of the Alleged SecurID Hash Function (extended version), Lecture Notes in Computer Science, Springer-Verlag, 2003. • RSA security website, http://www.rsasecurity.com/company E.Stuart

More Related