In this tutorial, we’ll talk in detail about RSA SecurID tokens. Firstly, we’ll elaborate on asymmetric cryptography which is crucial at it comes to the RSA algorithm. Then, we’ll talk about how the RSA tokens work in general, when they are used and are they safe enough nowadays.
2. Asymmetric Cryptography
The RSA algorithm is an asymmetric cryptography algorithm, specifically a public-key cryptosystem. Asymmetric cryptography is a cryptography system that uses a pair of keys for encrypting and decrypting data. The keys are mathematically connected.
The first one, the private key, is used to decrypt the message. The addressee stores the private key securely on its side and doesn’t share it with anyone. The second one, the public key, is used to encrypt the message. The addressee shares the public key with anyone interested in sending the message:
As we mentioned both keys are mathematically connected. Usually, one-way functions are used. Thus, is easy to encrypt the data but very hard or almost impossible to decrypt without a private key. Moreover, algorithms are designed in a way that obtaining the private key based on the public key is complicated.
Asymmetric cryptography is crucial for many modern cryptosystems used in a variety of applications and protocols, e.g., TLS, S/MIME, digital signature, RSA SecurID tokens. On the other hand, asymmetric cryptography is much slower than symmetric one. Therefore, asymmetric cryptography is often too slow for some purposes. Hence, modern solutions use a hybrid approach combining asymmetric and symmetric cryptography.
3. RSA SecurID Token
The RSA SecurID token is a mechanism to perform two-factor authentication of the parties. It can be either software (application, email, or SMS delivery) or hardware (key fob device). The mechanism generates authentication codes in fixed time intervals, e.g., 60 seconds. To perform authentication, the party is obligated to enter the credentials connected to the specific token and the actually valid authentication code.
The SecurID token uses a built-in clock and factory encoded key called seed to generate random authentication codes. The RSA SecurID server contains a database of active tokens and related seeds. Moreover, it also uses a real-time clock. During authentication, the server knows what code should be actually presented by the RSA SecurID mechanism, and by comparing it with what the user entered it performs the authentication:
The RSA SecurID mechanism brings an additional layer of security to the authentication process and reduces the chances of a data breach. Although, it’s still vulnerable to some dangers and attacks. Let’s describe them.
As we mentioned, the RSA SecurID token is a two-factor authentication mechanism. So, it adds additional security to the authentication process. On the other hand, there are some theoretical attacks that can impact RSA token security.
First of all, the most basic problem is that token devices or activated smartphones with the integrated RSA function can be lost or stolen. Moreover, any attacks that can steal the credentials can also steal the authentication code.
Secondly, the RSA SecurID tokens are not resistant to man-in-the-middle types of attacks. In simple words, a man-in-the-middle attack is when an attacker inserts themselves between two parties that believe are directly connected. Thus, the attacker can intercept or modify the transferred data.
Next, there is always a possibility that attackers can break into the RSA server and obtain token-related data such as seeds. In such a case, the token becomes worthless. Actually, in 2011 there was a successful cyberattack on the RSA company when attackers have stolen the RSA SecurID tokens’ confidential data. The attacker impacted thousands of important clients, including the US government.
Finally, there occur more specific vulnerabilities, like security issues within a particular application, system, or hardware version.
In this article, we talked in detail about the RSA SecurID tokens. Nowadays, there are a lot of alternatives and similar solutions, such as well-known mobile applications, like Authy or Google Authenticator. In general, the hardware tokens are being replaced. Often, software-based solutions are preferred, like mentioned mobile applications or SMS or e-mail authentication code delivery.