Download presentation
Presentation is loading. Please wait.
1
RSA SecurID ® Authentication Ellen Stuart CS265 Cryptography and Computer Security Fall 2004
2
E.Stuart2 11/24/2004 Agenda Introduction Components Tokens Server Algorithm Weaknesses Comparison Conclusion
3
E.Stuart3 11/24/2004 Introduction RSA SecurID ® Authentication History of the RSA and SecurID ® Two Factor Authentication Customer List NSA CIA White House
4
E.Stuart4 11/24/2004 Components of the SecurID ® System Tokens Authentication Server Algorithm
5
E.Stuart5 11/24/2004 Components of the SecurID ® System Tokens Issued to users Each token had a unique 64 bit seed value “Something the user has” Key Fob User required to login in with PIN and displayed pass code Hardware Token User required to login in with PIN and displayed pass code PINPAD User required to use PIN to access pass code Software Token Does not require separate Device User required to use PIN to access pass code
6
E.Stuart6 11/24/2004 Components of the SecurID ® System Authentication Server Maintains database of user assigned tokens Generates pass code following the same algorithm as the token Seed – similar to symmetric key
7
E.Stuart7 11/24/2004 SecurID Login Users issued tokens Internet RSA Authentication Server
8
E.Stuart8 11/24/2004 Components of the SecurID ® System Algorithm Brainard’s Hashing Algorithm AES Hashing Algorithm
9
E.Stuart9 11/24/2004 Components of the SecurID ® System Brainard’s Hashing Algorithm Secret key := unique seed value Time := 32 bit count of minutes since January 1, 1986
10
E.Stuart10 11/24/2004 Components of the SecurID ® System ASHF description of Brainard’s Hashing Algorithm Each round -> 64 sub-rounds
11
E.Stuart11 11/24/2004 Weaknesses of the SecurID ® System Violation of Kerckhoff’s Principle Publication of the alleged hash algorithm Key Recovery Attack (Biryukov, 2003; Contini, 2003) AES Implementation Human Factors
12
E.Stuart12 11/24/2004 Comparison to Password Systems Password systems are built-in, no additional implementation cost? Administration Costs Security Costs SecurID No need to regularly change passwords No changes as long as tokens uncompromised (and hash function)
13
E.Stuart13 11/24/2004 Conclusion Former implementation of SecurID supports Kerckhoff’s principle RSA phasing out versions with Brainard’s Hash Function
14
E.Stuart14 11/24/2004 References Mudge, Kingpin, Initial Cryptanalysis of the RSA SecurID Algorithm, January 2001 www.atstake.com/research/reports/acrobat/initialsecuridanalysis.pdf V. McLellan; Firewall Wizards: RE: securid AES tokens, http://www.insecure.org, Apr 26 2004, retrieved November 2004 F. Muhtar, Safer means to use passwords, Computimes, NSTP, Feb 13th 2003, retrieved November 2004 from http://www.transniaga.com/Default.htm S. Contini, Y.L. Yin, Improved Cryptanalysis of SecurID, Cryptology ePrintArchive, Report 2003/205, http://eprint.iacr.org/2003/205, October 21, 2003. V. McLellan, Re: SecurID Token Emulator, post to BugTraq, http://cert.uni- stuttgart.de/archive/bugtraq/2001/01/msg00090.html I.C. Wiener, Sample SecurID Token Emulator with Token Secret Import, post to BugTraq, http://www.securityfocus.com/archive/1/152525http://www.securityfocus.com/archive/1/152525 The Authentication Scorecard, White Paper, RSA Security, Inc, http://www.rsasecurity.com, retrieved November 2004.http://www.rsasecurity.com Protecting Against Phishing by Implementing Strong Two-Factor Authentication, White Paper, RSA Security, Inc, http://www.rsasecurity.com, retrieved November 2004.http://www.rsasecurity.com Are passwords Really Free? A closer look at the hidden costs of password security, White Paper, RSA Security, Inc, http://www.rsasecurity.com, retrieved November 2004.http://www.rsasecurity.com RSA Laboritories, FAQ Version 4.1, May 2000 RSA Security, Inc, http://www.rsasecurity.com.http://www.rsasecurity.com G. Welsh; Breaking the Code, Macquarie University News Feature, March 2004. Retrieved November 2004, from http://www.pr.mq.edu.au/macnews. Biryukov, J. Lano, and B. Preneel; Cryptanalysis of the Alleged SecurID Hash Function (extended version), Lecture Notes in Computer Science, Springer-Verlag, 2003. RSA security website, http://www.rsasecurity.com/company
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.