Is there a software version of the securID fob below:
RSA SecurID fob http://www.frontierpc.com/ProductImages/Large/1010053834.jpg
I remember reading that the algorithm for the key generation had been broken & that there was a software utility available, where if you punched in enough sequences from your physical key it would figure out the key sequence. Where can i get this software???
EDIT: I'm looking for non-official software
Seeking software capable of cracking an RSA SecurID, Nick Kavadias wrote: "I remember reading that the algorithm for the key generation had been broken & that there was a software utility available, where if you punched in enough sequences from your physical key it would figure out the key sequence. Where can i get this software???"
Hi Nick,
Since 2003, the RSA SecurID has been based on AES block cipher, the US advanced crypto standard. The SecurID uses a 128-bit token-specific secret key, and AES, to continuously generate a series of 60-second SecurID token-codes by encrypting:
Sorry, Nick. No joy. No one is likely to "break" AES in the foreseeable future.
The original SecurID, first introduced in 1987, used a proprietary John Brainard algorithm to hash a 64-bit token-specific secret and Current Time to generate the SecurID's series of 6-8 digit token-codes, continuously changing every 60 seconds.
Although, to the best of my knowledge, no one ever successfully cracked one of the classic 64-bit SecurID, there was a fascinating burst of academic insight into new types of vulnerabilities in the old SecurID hash has that was published shortly after RSA upgraded to its AES SecurID. These theoretical attacks on the Brainard hash typically entailed the collection of many thousands of SecurID token codes and an extensive statistical analysis of the series that might be effective, on some tokens. I know of several attempts to use this approach to actually crack a SecurID, but they were all unsuccessful
I doubt if there is actual software out there -- and it would be, after all, only good for attacking the 64-bit SecurID, a product no longer in use -- but there academic papers available that explore the probabilities, if that is your bent. (The most insightful deconstructions and analysis of the Brainard hash were in a 2003 paper by Biryukov, Lano, and Preneel and another paper published in 2004 by Contini and Yin, two former RSA cryptographers. I think both are readily accessible online.)
I'm a little unclear about your goal here, Nick. RSA has freely distributed millions of software versions of the AES SecurID, customized for various hand-held platforms, from their website. They charge for their server and the "secret keys" used to initialize these token emulation applications. There are, doubtless, various reverse engineered versions of the SecurID code in circulation. So you can play with real or imitation SecurID code -- but without the 128-bit secrets make the RSA system work. And RSA's authentication server will only register and support SecurID secret "keys" which have been digitally signed by corporate RSA.
I hope this answers your questions. Speak up if you have more. I've been a consultant to RSA for many years, and my bias is overt, but I'm usually up for Q&As.
Suerte, _Vin
RSA do official software tokens for some PDAs. Our company installs the software version of the token on corporate Blackberrys, to save the users having to carry around a dongle as well as their BB.
Having the software on a PDA keeps the two-factor aspect of the security (something you have and something you know) in a way that installing a software token on the same desktop PC that you're probably connecting to the resource from doesn't.
Also using the official RSA software token as distributed to you by the people controlling access to the resource is a much, much better idea than using some hacked about bit of software that probably breaks all sorts of agreements between you, the issuer and RSA.
See here for RSA's official software authenticators, note that although you can just download some of those without any difficulty, they won't work without a key/seed record issued by the people that run the resource you're trying to access.
I don't believe that you can use your RSA keyfobs, but there is a free community-based, open-source, web-based two factor authentication called WikID. They also have a commercial program.
I would not recommend using such software if it exists.
You are essentially removing a level of security from the login arrangements. If someone somehow gains access to your workstation/laptop (locally or remotely) then they have everything they need to login as you on those systems. The point of having an extra physical device as part of the authentication process is that you have the device and the remote hacker (or the person who has stolen you laptop) doesn't.
Whoever has given you the physical key to use for gaining access to their systems will not be happy if you do anything like this and are likely to at least completely revoke your access if they find out. You might even find your self in a litigation situation as you will most likely be in breach of any agreement made when you were given access to the services.
It is possible to emulate SecureID devices providing you have all of the required items. But in doing so you're breaking the fundamental design of two-factor authentication. Which undoubtedly won't please whoever provided you the device to secure access to their own systems.
The principle of two-factor auth is that the physical item, which is the "part of the puzzle that you have", cannot be duplicated and is kept with you at all times. If you emulate this in software on your laptop, then your laptop becomes are target for stealing and/or copying this data, potentially without you even knowing that it has happened.
