Despite a number of reports to the contrary, RSA says that its SecureID 800 hardware token has not been cracked, even though a team of researchers claim to made a number of discoveries.
According to Sam Curry, chief technology officer with RSA, his team have received many inquiries, press pickups, blog entries, and tweets regarding an alleged `crack’ by scientific researchers of the RSA SecurID 800 authenticator.
“This is an alarming claim and should rightly concern customers who have deployed the RSA SecurID 800 authenticator. The only problem is that it’s not true. Much of the information being reported overstates the practical implications of the research, and confuses technical language in ways that make it impossible for security practitioners to assess risk associated with the products they use today accurately,” he says in his latest security blog.
“The initial result is time wasted by product users and the community at large, determining the true facts of the situation,” he adds.
Curry goes on to say that the research by a group called `Project Team Prosecco’ does not cover any meaningful new ground, and in the specific case of RSA’s products does not highlight any practical risk to users of our RSA SecurID 800 tokens (or any other RSA product).
“However, it is an attempt to continue to explore the potential implications of a fault in PKCS #1 v1.5, and that is always a beneficial exercise regardless of the potential results of the research,” he says, adding that the vulnerability outlined by the researchers makes it possible (however unlikely) that an attacker with access to the user’s smartcard device and the user’s smartcard PIN could gain access to a symmetric key or other encrypted data sent to the smartcard.
“It does not, however, allow an attacker to compromise private keys stored on the smartcard,” he explained, noting that RSA’s position is that what has been reported in the press can be highly misleading.
Steve Watts – co-founder of tokenless two-factor factor authentication (2FA) specialist SecurEnvoy – meanwhile, says that headache for users of hardware tokens isn’t that the tokens may be compromised, but the sheer cost of reissuing new keys to members of staff and contractors, many of whom will work in the field.
Hardware tokens, he notes, are a useful authentication technology when deployed to staff that are wholly office-based – even though the on-costs of administering the units can be quite expensive once all the direct and indirect costs are totalled up.
“But the system has worked for some time – and continues to work for those organisations prepared to stomach these hidden (but very real) costs,” he says.
“But with a growing percentage of staff working remotely from the office – and other employees/contractors working from home for one or more days a week – the costs really begin to stack up. Factor the time taken to ship plus activate all those new tokens and you have a serious logistics problem,” he adds.
The SecurEnvoy co-founder went on to say that using a mobile phone as the authentication device – a unit that most people carry around with them – changes the cost and time dynamics when token re-issues are required.
Even if a mass re-issue is required – as happened with the RSA/EMC hack in the spring last year – Watt says that the use of tokenless 2FA technology means that the reissue time taken runs to just minutes, with SecurEnvoy’s 2FA system being capable of processing and issuing as many as 100,000 tokens an hour.
This, he explains, is where tokenless 2FA authentication really comes into its own as being faster, more flexible and cheaper to deploy – and maintain – than legacy hardware token-based systems.
The cost issue, says Watts, is a constant one for hardware token-using organisations, as someone has to be mail out the tokens, verify users and generally handhold them through a security enrolment process that few are experienced with.
“With a tokenless 2FA system such as our own – and which uses a mobile phone as the authentication carriage mechanism – users can self-enrol themselves into the programme, since they can employ mobile phone text messaging as a means of enrolment authentication in the first instance,” he said.
“Once they are enrolled and have a smartphone in the palm of their hand, they can use the authentication app to authenticate themselves for – say – an online session, even if they have no mobile signal. The software is completely self-contained – it really is as simple as that,” he added.
“Against this backdrop, in the unlikely event that hackers compromise any element of the authentication login process – for whatever reason – then users can be re-issued with new electronic tokens at the press of a button.”