RSA Hacked, SecurID a Little Less Secure Now

Status
Not open for further replies.

decolingo

Distinguished
Mar 19, 2011
2
0
18,510
SecurID is a time-based one-time password authentication technology that's been in use for well over a decade. You carry a device which provides a continuosly changing code (often displayed onscreen). You add a PIN number to this (a step handled in adifferent ways), and then type the result into a webpage, VPN login, etc. A server running an algorithm within the target for access evaluates your entry, and decides if it's valid. If it is, you're in.

It's "two factor", because you need the token and your PIN. These OTP (one-time-password) technologies are pretty good, but most have flaws (SecurID is not the best, technically), and all pale in comparison with PKI authentication.
 

eriko

Distinguished
Mar 12, 2008
29
0
18,580
SSL was cracked some years ago. And we still use that too.

I don't see this as a big problem, really.

I know a CFO using this technology, and there is no way anyone but the person who gave him his password is aware of it, so its still a 'two part' process, like the other poster said.
 

flachet

Distinguished
May 27, 2010
44
0
18,580
So a company that specializes in security got the crap hacked out of them and no one noticed until after it was done? Tell me again why anyone uses a product from this company? If I were using RSA in my company, they could expect to get their crap back.
 

jsc

Distinguished
Moderator
Jul 14, 2004
498
0
18,960
My company uses SecureID to get into the VPN. After that, you need a regularly expiring, strong password to go anywhere.
 

jsc

Distinguished
Moderator
Jul 14, 2004
498
0
18,960
My company uses SecureID to get into the VPN. After that, you need a regularly expiring, strong password to go anywhere.
 

decolingo

Distinguished
Mar 19, 2011
2
0
18,510
[citation][nom]STravis[/nom]Really? Do tell.[/citation]

I agree with your tone in responding -- trouble is, people say "cracked" like it means it's totally broken. In truth, there are many levels of "cracking" for even simple systems.

In the case of SSL, there are various "cracks", the most interesting of which was the protocol's lack of robustness in communicating alogrithm selection during key agreement. This could lead to a man-in-the-middle attack. So, "crack" == "could lead".

In truth, for most of the value that SSL protects, there are typically easier ways to get in. SSL isn't (and wasn't) perfect, but it's far from the weakest link.
 

rusabus

Distinguished
May 19, 2007
12
0
18,570
[citation][nom]STravis[/nom]Really? Do tell.[/citation]
Some root certificate authorities still use MD5 hashes to sign their certificates. MD5 has a weakness that has been known for about 15 years, but which was only really publicly exploited in 2005 (and more impressively in 2008). Basically, it is possible that two documents with different content could have the same MD5 hash.

Using that weakness, some researchers purchased several thousand dollars worth of regular SSL certificates from a public certificate authority. They then used a bunch of PS3s to generate an intermediate certificate authority certificate with the same MD5 hash as one of the certificates they had purchased. Because the MD5 hash for their regular SSL cert matched their intermediate CA certificate, they were able to use it to sign their intermediate CA certificate. This gave them the ability to generate and sign other SSL certificates. They have released their research to the public, and most certificate authorities don't use MD5 hashes any more, but the SHA1 hash that most of them use now is also vulnerable to collisions (although to my knowledge, an exploit of SHA1 has never been demonstrated).

Anyway, with the above methods, any one with about $50,000 could purchase enough computing power to generate a MD5-signed CA certificate and perform a man-in-the-middle attack on any website without the end-user knowing that anything was happening. I don't have $50,000, but I can think of plenty of people/organizations that do . . .
 
Status
Not open for further replies.