SecurID
by xenox (xenox9@hushmail.com)
Reading over an old 2600 issue 15:1), I ran across a letter from Packrat regarding SecurIDs. Having had some second-hand experience with them. I decided to dig a little deeper.
SecurID is a two-factor personal identification device, a token which is used to help authenticate or validate (to a computer) a person's declared identity.
The classic and most common SecurID token is slim steel card. It contains an 8-bit CPU, clock-chip, memory, a lithium battery.
The surface of the card (ignoring for the time being other variations) boldly displays SecurID and has an eight-digit LCD screen with a six segment LCD countdown bar.
On the back of the card is etched a serial number and the expiration date. The card can calculate for up to four years but has a preset self-destruct date. Also, the card has several sensors and will kill itself if it detects any sort of physical or electronic attack on it.
A large degree of its security is due to the active role it takes in the validation process. Every 30 or 60 seconds (the time interval is a buyer option - most are 60 seconds), in accordance with the LCD countdown bar on its screen, a new four to eight (another buyer option) character sequence is generated. The sequence, chosen by the buyer can either be a hexadecimal (0-9, A, B, C, D, E, F) or a decimal (0-9) code.
Each SecurID code displayed by the card is a Pseudorandom Number (PRN). That is to say, no one can calculate, guess, or otherwise determine the next or future token codes from a record of past token codes from that SecurID.
In mathematical terms, it is computationally unpredictable by someone who doesn't know the numbers that were used as input for the so-called "one-way function," the (SDTI-proprietary) hash algorithm that calculates the token code.
Each code is based on two inputs to the one-way algorithm:
- The non-secret time.
- A secret seed programmed into the card at "birth."
Inside the SecurID, the secret key (a constant binary value which doesn't change) and the SDTI's binary notation for Current Time (a variable, potentially known) are first concatenated or linked together in series, one after another. These two linked values - now a long binary number - are then fed into SDTI's proprietary cryptographic hash algorithm. This is an irreversible or "one way" computational device which transforms the two binary numbers into a third value: the four- to eight-digit SecurID token code.
The SecurID user interacts with a remote computer - host to an ACE server or another Access Control Module (ACM) capable of authenticating SecurID tokens. Instead of a card reader of any sort, the system uses an ingenious method of authentication.
The user enters his or her username (or employee number, or whatever), his PIN and the reading on the SecurID card. The central server knows the serial number of the card issued to this specific user and can look up the random seed. It runs the SERVER time through the CARD's random seed. To allow for drift, it accepts any value within three "windows" of the SERVER result (one period slow, correct timing, and one period fast). If the CARD's code is starting to "drift," the server remembers this and keeps this in mind next time the authentication protocol takes place. This allows for an imprecise clock-chip to still stay a valid and secure token.
The system only allows for ten code entering attempts before the card is disabled (this is with a valid PIN). After three tries (with any code) and an incorrect PIN, the system temporarily blocks further attempts.
PINs can be randomly generated by the server or can be assigned by an administrator. PINs can be any typeable character (alpha, numeric, typographical) and must be four to eight characters long.
A really sneaky feature that can be enabled with SecurIDs are "duress PINs." These are similar to all the tricks banks try and pull to silently alert police when they are being robbed (i.e., removing the last bill in the drawer closes an alarm circuit, etc.). If you force a user to cough up his PIN, it is very likely that he will give you his duress PIN, a PIN that appears to work correctly but immediately notifies the administrators that there has been a breach.
There are several distinct variations of SecurID cards. One of the SecurID variations, the PinPad Secure also has a small numeric keypad built into the card.
Another, the multi-seed SecurID has a pressure sensitive button which allows the user to switch between several internal processes (each process is based around a different random seed).
Yet another SecurID form is the SecurID key fob, semi-obviously a key chain version of a standard SecurID. There is also a PCMCIA modem version used for remote secure access, and a software version of the card used largely for internal verification procedures.
