Blog post

SecurID Redux

By Mark Diodati | March 21, 2011 | 0 Comments

After writing about the recent SecurID attack on Friday, I began thinking about the utility of the SecurID symmetric keys (AKA “seeds”) in the hands of the attacker. Specifically, what would the attacker need in order to leverage these seeds to access protected resources? I must emphasize that RSA has (at this point) not stated that any seeds have been stolen. But the compromise of the seeds is receiving the most scrutiny given that the public nature of the SecurID algorithm.

The attacker’s challenge is correlating the stolen seed to a real user. To do this, the attacker must capture a one-time password and the username. Both are provided when the user authenticates to a resource, and both can be captured at least two ways.

First, The OTP and username can be captured over the network in cases where session encryption is not used for the authentication transaction (between user and resource, and between resource and Authentication Manager). Today, it is relatively rare not to use transport security, but it does happen. Second, the username and password could be captured via user malware at the workstation. My colleague Avivah Litan discusses this type of malware attack on her blog.

Once a single OTP and username is captured, the attacker knows the user’s PIN and can correlate the passcode to the stolen seed (please see my prior entry for information about how the PIN and passcode are combined to make the OTP). This correlation would not be a herculean effort by any means. Run all the stolen seeds and the time of authentication through a software generator, and then compare the calculated passcode to the captured one. Once the attacker finds a match, he has the user’s PIN and device seed, and can use both to impersonate the user during future authentication attempts. The attacker would need to compensate for “clock drift”, which means that the attacker would likely calculate about 10 passcodes per seed to match the captured passcode.

Ironically, the modern version of RSA’s SecurID software OTP device may be less susceptible to attack as compared to the hardware OTP device. In general, hardware OTP devices are more secure due their tamper resistance capability. The software OTP device supports the CT-KIP protocol. The CT-KIP protocol enables the software OTP device and server to negotiate a new seed, which is not mathematically related to the seed that RSA shipped to the customer. The seed in the hardware OTP device cannot be changed and is the same as the seed that RSA ships to the customer with the device.

My assessment is that capturing a username and single OTP is hardly theoretical and has real world implications to SecurID customers if their seeds have been stolen. But what seeds—if any—were compromised at RSA? This is the magic question, the one we do not yet know the answer to. None, all, or seeds associated with specific organizations? If all of the seeds have been stolen, then the attacker can mount a generalized attack on any SecurID authentication. If seeds associated with a specific organization have been compromised, then the attacker must target users associated with that specific organization. Hopefully, RSA will disclose more about the attack so that its customers can take the appropriate next steps. As an aside, many customers do not adequately secure the seeds upon receipt from RSA, regardless of the recent attack on RSA; this is another vector for an attack on SecurID.

Many thanks to Merritt Maxim (my colleague at CA and RSA; twitter: merrittmaxim, blog: for reviewing this entry prior to its publishing.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed