, , , , , , , , , ,

Even the best get hacked on occasion, and a firm like RSA Security would have been a prize target for the highly skilled and determined crackers for a long time. It shouldn’t have come as a surprise when it finally was hacked and details of SecureID were stolen.

As I understand it, SecurID provides a two-factor authentication system, where the user inputs a number from a token in addition to the main password on a login screen. The idea is that two factors, in addition to a user name, are required for a successful login.
The same number has to be generated by both an authentication server and the token, every 30 or 60 seconds, so they both run the same algorithm and use the current time as a variable. A secret 128-bit key, which is periodically changed by RSA, is also used as a variable. The server authenticates a user by checking whether the numbers generated by the token and the server match. If they do match, the server knows the user has the token.

On its own, this only works when the key is kept secret, and the tokens themselves were made tamper-resistant for this reason. The algorithm itself was a trade secret, but had already been reverse engineered long ago and distributed between interested parties. But as RSA knows, security should depend on the secrecy of the key, never on the secrecy of the algorithm. If a third party knew both the key and the algorithm, they can authenticate themselves with a replicated token. This could be the problem faced by RSA and its customers now.
Even if SecurID has been compromised, it still adds a layer of protection to a system that would otherwise rely on a single password, as the need for another factor makes the common bruteforce attacks very awkward to carry out.

The company’s response to the hacking has been vague. Apparently RSA Security was the target of an ‘advanced persistent threat’ (APT), which is essentially a hacking effort in which data is gathered about the target over a longer period of time. Because of its nature, this is harder to detect because there are no immediate effects, the hackers had time to map the network, build a picture of what information the company has and where to look for it. It’s possible RSA themselves found a weakness in SecurID a while ago, and the hackers learned of this.

Although the RSA spokesman Art Coviello claims a ‘direct attack’ on SecurID isn’t possible, there are still an endless number of indirect methods a cracker could use. The company had recommended its customers take the usual steps to improve security, and also to keep the serial numbers of their tokens private. Their customers should also always be using SSL/TLS and strong passwords anyway.
Reading between the lines, it’s wiser to assume the worst – that SecurID has been compromised and the hackers have posession of the algorithm, secret keys, and perhaps a database. But even though it’s now less secure than it should have been, this isn’t the end of the world, because as I’ve said, SecurID still narrows down the number of possible threats, is still much harder to crack than a system that uses just a single password, and it rules out the common bruteforce attacks.