Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do RSA tokens work?

I would like to understand how RSA tokens (SecurID) work, what is the algorithm used there, is it the same algorithm as the regular RSA encryption/decryption ?

like image 666
Jau L Avatar asked Dec 01 '11 11:12

Jau L


2 Answers

Citing on Wiki

The RSA SecurID authentication mechanism consists of a "token" — either hardware (e.g. a USB dongle) or software (a soft token) — which is assigned to a computer user and which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded random key (known as the "seed". The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased1.

So, it may have something related to the RSA public key algorithm. Little known about real internals of SecurID (security by obscurity), but there are some analysis, e.g. initial securid analysis and more at bottom of SecurID page in wikipedia.

Also, hardware tokens are Tamper resistant so it is almost impossible to duplicate stolen token.

UPDATE: Thanks to eyaler, there are no any public/private keys in classic SecurID; they are based on "shared secret", not on asymmetric algorithm. Wikipedia says, that variant of AES-128 is used to generate token codes from secret key ("seed"). The secret key is encoded into key at factory.

like image 200
osgx Avatar answered Sep 24 '22 19:09

osgx


You can have a look at how it's really done at http://seclists.org/bugtraq/2000/Dec/459

The (oversimplified) mechanism is

hash = <some initial value> every x seconds do:    hash = hashfunction(hash + secret_key)    print hash 
like image 45
VolkerK Avatar answered Sep 26 '22 19:09

VolkerK