19

I have been using RSA SecureID ® Keys for quite some time now (perhaps 10 years), for things such as securely my home banking account online or accessing my company's network of computers from home. These keys generate a 6-digit numeric token which is set to expire However, I've always wondered how these work.

RSA SecurID keyfob

On the right-hand side there is a dot (not shown on the picture) which blinks once per second, and on the left there is a stack of six vertically-stacked horizontal bars, each of which disappears once every ten seconds. Every time sixty seconds have passed, the token resets itself, and the previous token becomes invalid.

AFAIK these devices don't make use the network, and the numbers they generate must be checked by the server (whether the server be a bank or a company's server). Hence, inside this device there must be stored an algorithm that generates random numbers with a mechanism that includes a very precise timer powered by a small battery. The timer must be very precise, since, the server needs to check the validity of the generated digits in the very same time interval. For every user/employee, the server must, as far as I understand, store the same random number generating algorithm, with one such algorithm per customer/employee. The chip must of course be constructed in such a way that if it is stolen then the attacker cannot access the random number generating algorithm stored therein, even if the device is broken.

Is this how this works?

Thanks!

Jeff Meden
  • 3,966
  • 13
  • 16
John Sonderson
  • 301
  • 1
  • 2
  • 5
  • 1
    The same way [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) works, except for the latter you don't have to buy an overpriced solution and can use regular phones or any device capable of basic computation, [even a smartwatch](http://tinyhack.com/2011/03/02/ez430-chronos-otp/). –  Dec 20 '14 at 01:06
  • 1
    Software defined OTP are extremely bad since you dont gain the tamper resistance, that is required to gain resistance against cloning of the seed. Anyone with a Micro-USB Cable and the right tools can clone your phone in <5 mins. If its password protected, the encrypted clone can be stored until the code can be obtained by malicious software or shoulder-surfing. Some phones today provide a tamper-resistant hardware key store, then its a good idea to use that, or a Security Smart-MicroSD. That prevent the seed from being extracted, only "used". But non-RSA hardware TOTP tokens are really cheap. – sebastian nielsen Dec 20 '14 at 09:40
  • 1
    Related: [How RSA tokens work](http://stackoverflow.com/questions/8340495/how-rsa-tokens-works) – Sam Berry Dec 20 '14 at 16:38
  • 1
    @sebastiannielsen that still relies on social enginnering or on users not watching after their stuff properly. If I can connect the user's phone to a computer without him noticing, I may as well steal his RSA token and put another one in its place (and he won't notice until the next time he tries to use it which would be too late). –  Dec 20 '14 at 18:34
  • Worth linking: [Can the numbers on RSA SecurID tokens be predicted?](http://security.stackexchange.com/q/9584/56961) – Michael Feb 28 '17 at 20:46

3 Answers3

32

Yes it does work as you say. The chip is "tamper resistant" and will erase the "seed" (secret key) if any attempt is made to attack it. This is often accomplished by having a non-user-replaceable battery and a "trap" that breaks power to the device once the device is opened, or the chip surface is removed. The key is then stored in a SRAM, requiring power to keep the key.

The key is a seed, that combined with the current time in 60 second step (effectively, the current UNIX timestamp / 60), refreshes the code.

No, the device does NOT need to be precise. Instead, the server will store the time of the last accepted code. Then the server will accept a code one minute earlier, one minute ahead, and at the current time, so if the current time at server is 23:20, then it will accept a code from 23:19, 23:20 and 23:21.

After this, it will store the time of the last accepted code, eg if a 23:21 code was accepted, it will store 23:21 in a database, and refuse to accept any code that was generated at 23:21 or earlier.

Now to the interesting part: To prevent an imprecise token from desynchronizing from the server, the server will store in its database, if it was required to accept a 23:19 code or a 23:21 code at 23:20 time. This will ensure that at next logon, the server will correct the code with the number of steps.

Lets say you at Clock 23:20 login with a 23:19 code. Server stores "-1" in its database (and if it would be a 23:21 code, it would store "+1" in database). Next time you login, Clock is 23:40. Then the server will accept a 23:38, 23:39 or 23:40 code. If a 23:38 code is accepted, it will store "-2" in database, at 23:39 it will keep "-1" in database, and at 23:40 it will store "0" in database.

This effectively makes sure to keep the server synchronized to your token. On top of this, the system, if a token "ran too far away" from the server (due to it being unused for a long time), allows resyncronization. This is accomplished either by a system administrator, or a self service resynchronization service is presented where the token user is asked to provide 2 subsequent codes from the token, like 23:20 and 23:21, or 19:10 and 19:11. Note that the server will NEVER accept a token code generated at or prior to the time that "last used token code" was (as this would allow reuse of OTP codes). When a resyncronization is done, the token will store the difference from the provided 2 token codes, and the current server time and in a resync, the search window could be like plus/minus 50 steps (which would allow about 0,75 hours of desync in both directions).

The server can detect a desynchronized token by generating the 50 prior codes and 50 future codes, and if the specified code matches that, it will launch the resync process automatically. Many times, to prevent an attacker from using the resync process to find valid codes, once an account is in resync mode, login will not be accepted without resyncing, which would require the attacker to find the exact code subsequent or prior to the code just found.

fduff
  • 725
  • 1
  • 8
  • 17
sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
5

The SecurID token has a "seed" value assigned to it, and is programmed with a specific algorithm that generates numbers based on the seed and its system clock. The seed value is also stored in a file that is shipped with the token. Upon receiving the token, System Administrators import the seed file to the authentication server. Since the SecurID token device and the server both have the seed value, and both are using the algorithm, the server can determine what the correct token code should be at any given time.

Occasionally, the token's clock may come out of sync with the authentication server. If this happens, System Administrators or other authorized support personnel can assist the user by performing a re-synchronization process on the server. This will configure the server to recognize the time offset for that token so that future authentication attempts should be handled accurately.

Note: Because these numbers must be predictable by the server, based on only the data stored in the seed file, the current time, and a standard algorithm, they can also be predicted by an attacker with special tools and access to the token. (Or worse, access to the seed files themselves - as is suspected to have happened in 2011.) Given enough consecutive token codes, there are tools that can determine the seed value and then generate future codes on their own.

Iszi
  • 26,997
  • 18
  • 98
  • 163
2

The Sebastian answer was terrific. I will restate that in layman's terms. The SecureID token is simply a clock with a seed value in it. Instead of displaying time it displays a number. The dot in that we can see in the picture is seconds (I think), the bar is when the number is going to change so you can time it. If it is reaching the bottom it is about to change and if you are typing it in, you will want to wait.

The "seed" is also on the server that is authenticating the device. When security guys install the RSA server they have to load the same seeds into the server that will be receiving your pincode.

So... Basically it is a cryptoclock. Just like the old LCD watches that my kids have with dora, or princesses on them. The difference is the seed that provides the math for the number.

Joe Kocan
  • 21
  • 1