Lameck Wagumba
Date April 19, 2010
SecurID
“All that comes cheap is dear”
The simplest way to authenticate users who log into our networks is by account name/username
and password, popular, cheap and manageable. These once the most secure way of accessing our
networks has since yielded to its purpose, this may be to users sharing passwords, stolen
passwords and disgruntled employees or tech staff compromising passwords to unauthorized
users. Alternatively many other methods can be used to obtain passwords this may include
guessing, dictionary attack, rainbow tables or social engineering which is very common with
peer to peer employees. The only way to reduce associated risk of these people driven
vulnerabilities is by putting into practice or implementing a structure enforcing a two-factor
authentication. Users will be expected in addition to their usernames and pin numbers to provide
finger print, card or a token. In this paper I will be explaining how SecurID can be used as an
additional authentication factor in a two-factor authentication system.
SecurID is manufactured by RSA and has been in the market for over 15years, it currently has a
base of over 10millions subscribers. SecurID is one of the best known 2 level authentication
technologies and boast of its implementation among the fortune 500 companies. Because of its
complete mobility it’s more attractive as compared to the same technologies that exist in the
market. This is a one- real time pass-code (Token Code) system used as a form of authentication
and is hardware based Typically a SecurID consist of
1. A key chain user-device or a device attached to a computer commonly referred to as a token
that generates pseudorandom numbers after every 30 to 60 seconds.
2. Client application software which runs in many diversified platforms and can be embedded in
RAS1, VPN2, firewalls and many other network routing devices.
3. RSA Authentication Manager (ACE3 Server) that verifies and authenticates the token code
generated by the client.
The token also referred to as SecurID hardware authenticators does not require any desktop or
software maintenance, they work with an embedded life time batteries, which makes its
deployment and administration very easy.
1
Remote Access Server
2
Virtual Private Network
3
Application Control Engine
1 SecurID Wagumba
L.
� Token Code Generation (Client) Token Code Validation (Server)
Current Time
Current Time
Algorithm Clock Offset by ACE Server
Algorithm
Seed Record
128bit
Token Seed recorder
Token code code 128bit
User
User enter username, PIN
and Token code
Authorization Node (VPN,
Server) Verifies password
RSA authentication agent
Correct
NO
YES
RADIUS Server verifies
the Authorization Node
(Encryption Verification)
NO
Correct
YES
ACE Verifies and
validates the Token
code
Accepted
YES NO Offset Clock ±1 OR ±10 Minutes
Correct
2 SecurID Wagumba
L.
� Figure1. An illustration of how a SecurID works
As shown in figure 1 above the user is prompted for a username, instead of the password the user
enters a concatenation of PIN and their token code (6 digits) number; the number produced by
the algorithm is very and large this is hashed down to 6 digits. This is a one-way function
without anyway of reversing to the seed record. The username will first be verified for
authenticity, if correct then RADUIS must also verify that the participating device is a valid
network device with the network and is encrypted with a valid shared key. Then the user
credentials are also verified whether they are valid users in that network device (VPN, Website
access). After this has been verified the credentials are then passed to ACE server or RSA
Authentication Server.
ACE upon receiving the credentials retrieves clock offset, seed record and obtain current time to
perform the same calculation as the client (Token). ACE also calculates token code with an
offset of ± 10 minutes, should the clients full within this window the user is then challenged for
another token code. During this test the user is expected to enter the very next token code if
correct the user is accepted and the server re-synchronized to the newly calculated time. It should
be clear that this is only done when there is discrepancy with the user’s time vs. servers’ time.
An attempt by an opponent to log in by guessing the token codes and fails on several trials, the
user will not be locked out but instead will be forced into a next token code mode. During these
mode should the opponent manage to guess the right token code, they are prompted for the next
number that shows on their gadget. These make it very difficult as they are 1 out a million
chances to guess the correct number. However if this was a real user they will have the correct
token code and will also get the challenge token code correctly. This is a big advantage to users
as real users will not be locked out when opponents use the credential to try and gain access to
the system/network. This is a big advantage over conversional password usage. Remember if
everything is correct then the user
RSA’s SecurID can be used in networks and system access where the organization intends to
reduce the network security breaches due to password safety weakness by implementing a two-
factor authentication. The SecurID can be used in PDA, Smart Phones, VPN, Firewalls,
Windows logins, and web access, top secret buildings, large organization to enforce personnel
entry and exit from office building. However there issues associated with this, for example of the
server falls out of sync with the clients clock then many users will be denied access. The
SecurID does not protect or negate the issues of man-in-the middle attack, man in the browser.
The strength of the system lies with the authenticating server, so the authenticating server is not
secure and attacked by an opponent then the whole system will be compromised. ACE agent or
the Token can be stolen by an opponent who has a username already, though this is more of a
risk than an issue.
3 SecurID Wagumba
L.
