This is page 2 of:
Say Goodbye To RSA’s Fobs
A decade and a half later, it’s a different story. With the algorithm in hand, thieves could make use of today’s cheap computing to construct the equivalent of “rainbow tables” and mimic how a SecurID fob works. And if the algorithm really is in thieves’ hands—even if those thieves don’t plan on making it widely available because they want to use it for attacks on specific SecurID-secured targets—it’s only a matter of time before SecurID becomes useless.
That is, unless RSA changes the game. Right now, a SecurID fob will produce the same predictable sequence of numbers—at least, it’s predictable if you know the hash algorithm and the seed. But what if the seed number could be changed securely at any time? Then even if someone broke into RSA again and stole a database containing every seed for every SecurID fob, the breach would only create a risk until the seed was changed again.
That’s impossible with a 1996-era fob. But it’s easy today if RSA replaces those fobs with smartphones. A mobile phone can do everything a SecurID fob can do. It can also create a secure connection that’s authenticated by the phone’s hardware. And change the seed at any time. And wipe itself, if it’s reported stolen (at least if it’s reported in time). Those are security advantages that the old fobs will never have.
Users are also very likely to notice that, say, their iPhone is lost or stolen. They’re a lot less likely to keep constant tabs on a fob that they use at most a few times a day.
Retailers have an even better reason to hope RSA does something like opening up its hash algorithm and shifting to mobile. This might be the first step in much-improved security for mobile payments. Those SecurID fobs would be great for replacing payment-card PINs with one-time passcodes. But there’s no way any bank could afford to hand out RSA’s pricey hardware to every cardholder (especially because most of those cardholders would promptly lose the fobs).
But replace the fobs with smartphones and suddenly the economics make it practical for RSA to get into the payment-card authentication business. Or if RSA won’t do it, some other security vendor can build on what RSA has already done.
There’s nothing comforting in what happened to RSA. As security guru Bruce Schneier pointed out in his first-take analysis of the breach, “Security is all about trust, and when trust is lost there is no security.” That breach means a major disruption—both in trust and in security—for anyone who uses SecurID. It’s up to RSA to squeeze some good out of that disruption.
-Marc
March 27th, 2011 at 12:19 pm
Regarding the suggestion that fobs be updateable (or worse, be replaced by an app in a smartphone,) you’re missing the greater security issue of trust that a sealed system provides.
If the secret seed can be replaced, then it can be replaced by a bad guy who knows what sequences his replacement seed will produce. If you have an extra-secret tamperproof key that protects the ability to inject a new seed, then that’s exactly as “trustworthy” as the seed itself needs to be, and the replacement process is simply an extra cost burden (plus a risk).
A smartphone app is much, much worse. How do you know you’re looking at the real RSA Token App? You might be looking at Bill’s Malware Trojan RSA App, or your real app might be infected with Brad’s RSA App-Sniffer App. An end user has no way of knowing if his phone is compromised.
A sealed tamperproof hard token, with only human readable air-gap access to its data, is still one of the most trustworthy designs available to put in the hands of the general population.