First post in a series (hopefully) related to general computer security.
When I first started my current many years ago I was issued of these keyfob thingies which displayed a 6 digit number that changed every minute. I just blindly accepted that it did some complex random number generation that allowed me to log in to systems securely.
Here's how it works (paraphrased from this).
The token is a completely standalone unit. It does not have any sort of connection to any other electronic device.
Each token contains a clock chip and a unique seed number, which I assume is displayed on the back of the token.
Every minute, the combination of the current time and the unique seed number as input of the algorithm and produces the six digit number you see on the token (I have no information on the algorithm itself).
The server performing the authentication (known as an ACE Server) knows your unique seed number, the algorithm being used, and the time. With this information, it performs the same function on the server. It receives your code and compares it to the code it computes. If the codes match you are authenticated.
Edit:
I found a more detailed breakdown after the original post is here:
All versions of the SecurID use RSA's patented
technology to synchronize the use of Current Time in a SecurID token and
its remote authentication server, what RSA calls the
ACE/Server. (Typically, as you know, the link between the token-holder and
the ACE/Server is through an intermediary -- an ACE/Agent or RADIUS agent
-- which intercepts an authentication call and relays it to the ACE/Server
for processing.)
The classic SecurID, for 15 years, used a proprietary algorithm to
hash a token-specific 64-bit seed and Current Time. The new SecurID --
introduced at the beginning of 2003 -- uses the AES block cipher, in
standard ECB mode, to hash:
- a 128-bit token-specific true-random seed,
- a 64-bit standard ISO representation of Current Time
(yr/mo/day/hour/min/second),
- a 32-bit token-specific salt (the serial number of the token), and
- another 32 bits of padding, which can be adapted for new functions or
additional defensive layers in the future.
Conflated and hashed by the AES, these inputs generate the series
of 6-8 digit (or alphanumeric) token-codes that are continuous displayed on
the SecurID's LCD, rolling over every 60 seconds. (The standard mode of
use, as you know, requires two-factor authentication: the token-holder is
required to provide both a SecurID token-code and a user-memorized PIN to
the remote ACE/Server.)
ECB mode in AES is executed on 128-bit blocks, of course, so it is
obvious that RSA had to pad the standard 64-bit expression of Current Time
with another 64 bits. Using a token-specific salt blocks any attempt to
pre-calculate a library of possible token-codes for all 128-bit seeds. That
means that any brute-force attack on the AES SecurIDs would have be focused
on a particular token.
Showing posts with label cissp. Show all posts
Showing posts with label cissp. Show all posts
Tuesday, October 16, 2007
Monday, October 01, 2007
One Skill A Day
I'm going to try something new to beef up my arsenal of skills before I start looking for a new job. Each day I'm going to learn one new tech skill. The topics will not follow any particular pattern or will not stick to one technical area. Rather, I'll probably jump around between disparate topics. That'll prevent me from getting bored.
In this blog I will type out a brief synopsis of what I learned in addition to key concepts. Some topics will obviously take more than one day to even learn the basics.
If I miss a day I'll will learn two things the next day.
Here are a few topics I want to brush up on:
1) NFS
2) XEN
3) VxFS
4) Performance Tuning
5) IP Subnetting
6) DB queries
7) Basic Oracle Admin
8) netstat usage
In this blog I will type out a brief synopsis of what I learned in addition to key concepts. Some topics will obviously take more than one day to even learn the basics.
If I miss a day I'll will learn two things the next day.
Here are a few topics I want to brush up on:
1) NFS
2) XEN
3) VxFS
4) Performance Tuning
5) IP Subnetting
6) DB queries
7) Basic Oracle Admin
8) netstat usage
Thursday, June 21, 2007
CISSP
I've decided to start studying for the CISSP exam. I've decided the first step will be to memorize the ten domains that comprise the Common Body of Knowledge as defined by International Information System Security Certification Consortium (ISC)^2 before I start reading some e-books on the subject. Here we go from memory using a new trick I learned today:
1) Access Control
2) Application Security
3) Business Continuity and Disaster Recover Planning
4) Cryptography
5) Information Security and Risk Management
6) Legal
7) Operations Security
8) Physical and Environmental Security
9) Security Architecture and Design
10) Telecommunications and Network Security
Amazingly I got them all correct in the right order just by studying for a about 5 minutes. I swear I didn't peek. What's funny is the words my brain was spitting out felt so wrong but they were precise (WTF is Operations Security??)
The trick is to say the first item in the list out loud, read the second item, say the first and second item out lound, read the third item... and so on.
I can't believe I just learned this trick today.
1) Access Control
2) Application Security
3) Business Continuity and Disaster Recover Planning
4) Cryptography
5) Information Security and Risk Management
6) Legal
7) Operations Security
8) Physical and Environmental Security
9) Security Architecture and Design
10) Telecommunications and Network Security
Amazingly I got them all correct in the right order just by studying for a about 5 minutes. I swear I didn't peek. What's funny is the words my brain was spitting out felt so wrong but they were precise (WTF is Operations Security??)
The trick is to say the first item in the list out loud, read the second item, say the first and second item out lound, read the third item... and so on.
I can't believe I just learned this trick today.
Subscribe to:
Posts (Atom)