[LINK] Security tokens
sjenkin at canb.auug.org.au
Wed Nov 14 20:25:24 EST 2007
David Lochrin wrote on 14/11/07 6:53 PM:
> Many banks are issuing tokens these days. I have seen two, and both display a 6-digit number which must be entered on another screen after logging in with the usual userid and password. There's no challenge / response process, and the numbers are claimed to be non-repeating.
> Does the Link Institute know the Principles of Operation?
> Six decimal digits will encode a string of up to 19+ bits (values 0 to 1,048,575). If each device is designed to deliver a given set of (say) 10,000 numbers for each customer, then surely there is a 1% chance (10,000/1,048,575) that some random number will be valid for any randomly-chosen customer regardless of what mathematical magic is incorporated in the token.
> If malware harvests 10 userid/password values, the chance that a randomly chosen token-number will be valid for at least one is 10% according to my calculation, and for 50 userid/password values the chance that a given random token number will be valid for at least one is 39% (1-0.99**50).
> This is not impressively secure, though certainly better than nothing.. Perhaps entered token numbers are checked to see if they're within a certain range of the last one entered. which would improve matters. One wonders what the legal issues might be.
> Link mailing list
> Link at mailman.anu.edu.au
The 6-digit key is some subset of a larger internal number.
A new number is generated every 60 seconds - it effectively a very slow
Somewhere will be a security analysis... They've been around for a 2-3
decades & in very high value targets - if they were obviously
compromised, they'd be taken-over already. i.e. the number sequence
crypto is very strong.
No two devices (should) be using the same keys & sequence.
There are two protections:
- bad guys' guess is 1 in 10^6 per 60 seconds.
- the server limits the number of authentication attempts [rate & failed
So, bad-guys have maybe 3 chances in 10^6 to break into a single
secure-id (after they've gained the id/passwd). Pretty slim.
It's way easier to hijack an established session [search for: hijack
RSA SecurID authentication offers a unique, time-synchronous solution
that automatically changes the user’s password every 60 seconds. This
makes our solution more secure than event-synchronous systems with
passwords that can be valid for an indefinite period of time and easier
to use than challenge-response systems that require multiple steps to
generate a valid code.
What’s more, RSA SecurID authentication is built upon the Advanced
Encryption Standard (AES) algorithm, a recognized standard that is
continuously scrutinized and challenged by cryptologists around the
world to ensure its strength and dependability.
RSA Security with its research arm, RSA Laboratories, is recognized as a
leading firm in the field of cryptography. We continue to evolve our
solutions to meet emerging threats. By investing in RSA SecurID
authentication you’re getting a proven and tested solution that will
meet your needs for years down the road.
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA
sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
More information about the Link