Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Can Generate RSA SecurID Random Numbers Flawlessly

Posted by Soulskill on from the everybody-needs-a-hobby dept.

Fluffeh writes "A researcher has found and published a way to tune into an RSA SecurID Token. Once a few easy steps are followed, anyone can generate the exact numbers shown on the token. The method relies on finding the seed that is used to generate the numbers in a way that seems random. Once it is known, it can be used to generate the exact numbers displayed on the targeted Token. The technique, described on Thursday by a senior security analyst at a firm called SensePost, has important implications for the safekeeping of the tokens. An estimated 40 million people use these to access confidential data belonging to government agencies, military contractors, and corporations. Scrutiny of the widely used two-factor authentication system has grown since last year, when RSA revealed that intruders on its networks stole sensitive SecurID information that could be used to reduce its security. Defense contractor Lockheed Martin later confirmed that a separate attack on its systems was aided by the theft of the RSA data."

32 of 98 comments (clear)

  1. Not exactly... by Anonymous Coward · · Score: 5, Informative

    "When the above has been performed, you should have successfully cloned the victim's software token and if they run the SecurID software token program on your computer, it will generate the exact same random numbers that are displayed on the victim's token," Fouladi wrote.

    Good job leaving the word software out of the summary there in the /. lead in.

    1. Re:Not exactly... by Fwipp · · Score: 5, Insightful

      Exactly. They're cloning the software token, not breaking the scheme that the hardware uses.

    2. Re:Not exactly... by Kenja · · Score: 4, Insightful

      The keyfob is fairly tamper proof. You would need to pop it open and use some sort of device to read the memory where the token is kept. Since the fobs are filled with epoxy and go dead if the power source is disconnected, this is difficult.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    3. Re:Not exactly... by nahdude812 · · Score: 3, Insightful

      The hardware versions are the ones used for the more important operations. Their seed is a lot harder to snoop. If the hardware version became fundamentally broken, an awful lot of systems and networks would suddenly be a lot weaker.

      All random number sequences produced by computers are reproducible if you know the algorithm and the seed; that's in fact the whole strategy behind the RSA SecureID token - if you know the seed, you know the value fo any given point in time. It's not that they discovered random number generators are actually pseudo random number generators, it's just that they snooped a software key. Snooping a hardware key is a lot harder, and requires physical access since these aren't networked in any way. It's very misleading for the article title to sound like the hardware versions were broken when they weren't.

      --
      Slay a dragon... over lunch!
    4. Re:Not exactly... by fuzzyfuzzyfungus · · Score: 5, Informative

      My understanding is that the two schemes are the same. The software version is just the cheap-n-lazy implementation for people who don't want to deal with airgapped hardware tokens.

      Honestly, what makes me nervous about this is not the fact that, shocking!, software can be reverse engineered; but that RSA seems to mix a disconcerting amount of laziness and hubris in with their competent math.

      As best we currently know, it is Not Possible to deduce subsequent token outputs merely given access to previous token outputs. However, it is trivial to do so given access to the seed value. And yet, RSA's last big security fuckup was because they weren't purging seed values for tokens sold to customers. And now it turns out that their software 'tokens' retain their seed values in local storage forever.

      Way to let a desire for convenience drag defeat from the jaws of victory, guys.

    5. Re:Not exactly... by chrb · · Score: 4, Informative

      They're cloning the software token, not breaking the scheme that the hardware uses.

      The algorithm that the software and hardware implement is the same. What has been done here is to show that the software mechanisms in place to protect the token file under Windows can be broken, despite the claims of RSA:

      This file can be viewed by any SQLite database browser, but sensitive information such as the checksum and seed values are encrypted. RSA documentation states that this database file is both encrypted and copy protected: “RSA SecurID Software Token for Windows uses the following data protection mechanisms to tie the token database to a specific computer:
      * Binding the database to the computer's primary hard disk drive
      * Implementing the Windows Data Protection API (DPAPI)
      These mechanisms ensure that an intruder cannot move the token database to another computer and access the tokens. Even if you disable copy protection, the database is still protected by DPAPI.”

      So if the RSA software token is installed on a Windows PC, and you can access that PC (remotely or physically), then you can copy the token; the result is the same as having cloned a person's hardware token.

    6. Re:Not exactly... by erroneus · · Score: 2, Insightful

      The "hardware token" *IS* running software. Did you think it was not running a processor and running a program???

      And in order for that to work, it operates the same way the SOFTWARE system which validates and verifies the numbers on the RSA ID.

      The compromise is the same whether it is a hardware or software device... in the end, they are all software devices.

    7. Re:Not exactly... by Cramer · · Score: 5, Interesting

      It's my understanding of the system (from dealing with one years ago)... the server can recover the seed used by a hardware token given it's serial number, and two sequential tokens. Perhaps the serial number is the "seed" and it's figuring out the tokens clock. However, it's perfectly clear the server can generate the same numbers as the token. The strength of the system is keyed to protecting that algorithm. Soft-tokens are a bad joke and only slightly better than a password, but are themselves based on a "password".

    8. Re:Not exactly... by Sir_Sri · · Score: 2

      Well not just remotely access, you need to remotely have administrator access, or have otherwise compromised the machine.

      Which makes this a half MS and half RSA problem. If your software absolutely must run on windows, no matter how unsuitable windows is for the task, then you rely on microsoft API's and general OS features/security etc. If they don't secure their secure device API properly then there is only so much you can do, equally if they don't document how to properly use/connect to a secure device API you're equally screwed.

      It also reduces the RSA token problem to the same problem as everything else in security. If machine isn't properly secured, both with regular software updates/AV/Firewalling, and from users clicking on random files with administrator privileges then anything else you do is basically pointless.

    9. Re:Not exactly... by datajack · · Score: 5, Informative

      The server cannot 'recover' the seed from the serial number.

      When you buy hardware tokens, you are supplied with a copy of the seeds, associated with the token serial numbers, to import into the server. The SecurID scheme is time based. What is recovered through supplying the serial number and two token-codes (combined with the existing knowledge of the seed) is the current state of the token's internal clock.

      The serial number printed on the back of the token is NOT the seed. It is not (to the best of my knowledge and trust in RSA) related to the seed in any way other than the mapping held in the database of the server.

      This story is purely sensationalist. The SecurID algorithm has been known for a long time, that token codes can be generated when the seed is somehow compromised is a non-issue. That a software token seed can be recovered given full access to the host is also obvious to anyone reasonably aware of the realities of cryptography.

    10. Re:Not exactly... by Lumpy · · Score: 2

      " like a phone, laptop, etc. that can potentially be cracked from thousands of miles away."

      Hi this is phil from IT. Yeah we are having some problems with logins, can you read me the number off the back of your dongle? Thanks!

      All hacked from thousands of miles away....

      --
      Do not look at laser with remaining good eye.
  2. This is great news! by CubicleZombie · · Score: 5, Funny

    Now I don't have to worry about forgetting to bring home the RSA token for my company's VPN. I can just leave it under the keyboard with all my password post-its!

    --
    :wq
    1. Re:This is great news! by JoeMerchant · · Score: 2

      Better still, you can outsource your work to India and they can sign in with your token.

    2. Re:This is great news! by Beardo+the+Bearded · · Score: 5, Funny

      That's what I do, I just have two Engineers in India do my work and FTP it to me once a week. They get paid 1/10th of what I do, so I do basically no work for 80% of my paycheque.

      Outsourcing works both ways.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  3. Summary is somewhat misleading by supersat · · Score: 4, Informative

    This applies to software tokens only.

    1. Re:Summary is somewhat misleading by Jeng · · Score: 2

      As opposed to the ones you get at the arcade?

      --
      Don't know something? Look it up. Still don't know? Then ask.
  4. Misleading title by Anonymous Coward · · Score: 2, Informative

    and they aren't doing it by reverse engineering RSA software, but rather exploiting windows API's.

  5. Re:Suuuuure it's random by Fwipp · · Score: 3, Insightful

    This attack doesn't actually rely on any of that - it's akin to photocopying all the one-time pads you've given to the user. To say that this is bidirectional cryptography is misleading at best.

  6. Isn't this old news? by noc007 · · Score: 3, Informative

    DNRTF

    If it's about figuring out the algorythm used by their SecureID fobs, this is old news. At the last job during a PCI audit, the auditor was showing off the pen test tools he downloaded for free off the net. I think it was Cain and Able had a tool that did this; as long as you knew the serial numbers on the back (a brief amount of physical access or social engineering) it would report back the six digit number the fob was displaying. Obviously you still need the other parts of the credentials, but the algorithm used by the fob was already broken.

    1. Re:Isn't this old news? by LordLimecat · · Score: 4, Informative

      The token generation algorithm uses essentially two parameters: the key fob serial number and a token activation key; each of them are usually provided by the vendor in *.XML files.

      From here.

      Basically, they also need the seed, which is the problem being tackled here.

  7. Re:Suuuuure it's random by YodasEvilTwin · · Score: 4, Informative

    This has nothing to do with randomness. For example, you could use numbers that are random (or as good as random) by sampling background radiation and still run into the same issue. The problem lies in the fact that those samples need to be shared. You can't log in if the server isn't using the exact same number sequence as your token. The seed provides the means to get the number sequence; replacing the seed with the data from your radiation sampler might be good in that it's probably harder to hackers to access, but it doesn't change the fundamental nature of the issue.

  8. Not so fast by WaffleMonster · · Score: 4, Insightful

    Key point from TFA "was easy for people with control over the machines to deduce and copy"

    If anything is running on a computer it is possible to probe it and figure out what it is doing and duplicate it if you have complete control over it. It does not much matter what it is how fancy an algorithm is being used or how it is configured.

    If you want something to stay secret then it needs to self destruct when someone tries to fuck with it or anything it depends on to work.

    Reminds me of the outraged cries of those 1337 few over the years who independantly discovered operating system x must be defective since you can bypass password authentication or access controls by mounting an unencrypted hard disk in a different computer. No shit.

    1. Re:Not so fast by Thaelon · · Score: 2

      The old rule still applies: Physical access is access.

      --

      Question everything

  9. What you have by g0es · · Score: 5, Insightful

    I have never understood why software tokens have been allowed to be considered a "factor" in multi factor authentication. Particulary when it is stored on the same laptop/computer that the user is utilizing to connect to the secure resource. Doesn't it make more sense to have each factor seperated by an air gap or alternate communiation channel? That way if the system where the users is typing a password is compromised only the password is compromissed with possibly the ping from the token which would be a one time key. Even if the one time key and the password are comprimised the attacker basicly has to use it at the same time.

  10. Obvious by Sparticus789 · · Score: 2
    So RSA tokens can be broken if someone copies the RSA software token. It doesn't take a security researcher to figure this out. Any 7th grader knows that if you steal someone's key to their locker, you can open it.

    If this is what "security researchers" get paid to do, sit around and state the obvious, I am in the wrong career field.

    --
    sudo make me a sandwich
  11. Re:Open it up and extract token. by g0es · · Score: 2

    Yes

  12. Re:Suuuuure it's random by JoeMerchant · · Score: 3, Informative

    Solved with public/private key pairs (long ago), short version:

    Server publishes public key and has internal copies of its private key and all authorized users' public keys.

    User wants to authenticate, server challenges with a unique nonce (sampled from background radiation, or whatever) authenticated with server's private key if you're paranoid.

    User responds with self-authenticated version of the nonce, possibly encoded with server's public key for good measure.

    The only hole is key control, which is where the two+ factor stuff starts playing in.

  13. Re:Unsurprising, since... by idontgno · · Score: 4, Interesting

    I know this is Slashdot, but this thread is taking "TL;DR" to whole new places.

    The news isn't that RSA's algorithm is out in the wild. Without the account-specific sequence generation seed value, the algo is worthless.

    The news is that the researches have examined the Windows software version of the access code generator ("software token") and figured out how to extract the seed value out of a specific installation. With that seed value, you can take another copy of the software token and clone the key generation sequence of the first, allowing you to spoof the other token's identity.

    This is why most RSA installations I know of also require the use of a PIN concatenated with the token-generated number. That way, coaxing the code out of the software token isn't enough to authenticate as the identity of the person the token is assigned to; you have to guess the PIN as well (maybe by looking under keyboards).

    I guess the real story is "soft tokens don't protect their internal secrets as well as hardware tokens".

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  14. SecurID not broken by Old+Wolf · · Score: 4, Insightful

    I read TFA.. the algorithm is not broken and the seed isn't deducible from the output; all they've done is read the seed out of software auth running on a general purpose computing device.

    This has always been possible in theory -- obviously, the computer software has to generate the output so it must have the seed in an accessible form; probably under several layers of obfuscation and encryption (which ultimately adds no security, as the software still has to be able to wade through it to get to the seed). It's very similar in concept to someone being able to obtain your PGP or SSH private keys if they have local access to your system.

    There is no risk to people with a hardware auth device, unless the server is compromised (in which case this form of authentication is useless anyway).

  15. Re:Open it up and extract token. by Jafafa+Hots · · Score: 2

    Also, if you happen to notice a block of bricks overhead, jump up and hit it with your head.

    --
    This space available.
  16. not necessarily true by Chirs · · Score: 2

    It could theoretically be a custom ASIC, in which case it's not really a processor running a program as much as a physical embodiment of the program.

  17. WORST I'VE SEEN by mr_stinky_britches · · Score: 2

    Wow, this is one of the worst summaries I've seen in the last 2 days on /.

    --
    Censorship is obscene. Patriotism is bigotry. Faith is a vice. Slashdot 2.0 sucks.