I would like to understand how RSA tokens (SecurID) work, what is the algorithm used there, is it the same algorithm as the regular RSA encryption/decryption ?
Citing on Wiki
The RSA SecurID authentication mechanism consists of a "token" — either hardware (e.g. a USB dongle) or software (a soft token) — which is assigned to a computer user and which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded random key (known as the "seed". The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased1.
So, it may have something related to the RSA public key algorithm. Little known about real internals of SecurID (security by obscurity), but there are some analysis, e.g. initial securid analysis and more at bottom of SecurID page in wikipedia.
Also, hardware tokens are Tamper resistant so it is almost impossible to duplicate stolen token.
UPDATE: Thanks to eyaler, there are no any public/private keys in classic SecurID; they are based on "shared secret", not on asymmetric algorithm. Wikipedia says, that variant of AES-128 is used to generate token codes from secret key ("seed"). The secret key is encoded into key at factory.
You can have a look at how it's really done at http://seclists.org/bugtraq/2000/Dec/459
The (oversimplified) mechanism is
hash = <some initial value> every x seconds do: hash = hashfunction(hash + secret_key) print hash
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With