[LINK] Security tokens

steve jenkin sjenkin at canb.auug.org.au
Wed Nov 14 20:25:24 AEDT 2007 

David Lochrin wrote on 14/11/07 6:53 PM:
>    Many banks are issuing tokens these days.  I have seen two, and both display a 6-digit number which must be entered on another screen after logging in with the usual userid and password.  There's no challenge / response process, and the numbers are claimed to be non-repeating.
>
>    Does the Link Institute know the Principles of Operation?
>
>    Six decimal digits will encode a string of up to 19+ bits (values 0 to 1,048,575).  If each device is designed to deliver a given set of (say) 10,000 numbers for each customer, then surely there is a 1% chance (10,000/1,048,575) that some random number will be valid for any randomly-chosen customer regardless of what mathematical magic is incorporated in the token.
>
>    If malware harvests 10 userid/password values, the chance that a randomly chosen token-number will be valid for at least one is 10% according to my calculation, and for 50 userid/password values the chance that a given random token number will be valid for at least one is 39% (1-0.99**50).
>
>    This is not impressively secure, though certainly better than nothing..  Perhaps entered token numbers are checked to see if they're within a certain range of the last one entered. which would improve matters.  One wonders what the legal issues might be.
>
> David
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>
>   

The 6-digit key is some subset of a larger internal number.
A new number is generated every 60 seconds - it effectively a very slow
stream cipher.
Somewhere will be a security analysis... They've been around for a 2-3
decades & in very high value targets - if they were obviously
compromised, they'd be taken-over already. i.e. the number sequence
crypto is very strong.

No two devices (should) be using the same keys & sequence.

There are two protections:
- bad guys' guess is 1 in 10^6 per 60 seconds.
- the server limits the number of authentication attempts [rate & failed
attempts]

So, bad-guys have maybe 3 chances in 10^6 to break into a single
secure-id (after they've gained the id/passwd). Pretty slim.
It's way easier to hijack an established session [search for: hijack
e-gold trojan]
----------------------------

>From <http://www.rsa.com/node.aspx?id=3050>

RSA SecurID authentication offers a unique, time-synchronous solution
that automatically changes the user’s password every 60 seconds. This
makes our solution more secure than event-synchronous systems with
passwords that can be valid for an indefinite period of time and easier
to use than challenge-response systems that require multiple steps to
generate a valid code.

What’s more, RSA SecurID authentication is built upon the Advanced
Encryption Standard (AES) algorithm, a recognized standard that is
continuously scrutinized and challenged by cryptologists around the
world to ensure its strength and dependability.

RSA Security with its research arm, RSA Laboratories, is recognized as a
leading firm in the field of cryptography. We continue to evolve our
solutions to meet emerging threats. By investing in RSA SecurID
authentication you’re getting a proven and tested solution that will
meet your needs for years down the road.

-- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the Link mailing list