RSA Security has offered to replace all of the 40 million SecurID tokens, which is used in the two-factor authentication process currently in use by corporate workers to securely log onto their computers. Ars Technica does a good job describing what a token is: SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token. The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token. Each token has a different seed, and it’s this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them. There is commentary about whether or not disclosing information about this exact vulnerability earlier would have prevented attacks, as RSA had hoped, or if it left companies in the lurch about how to shore up their security. As we wrote earlier, a layered approach to security will greatly help shore up these risks and other risks in your security systems and processes.RSA SecurID Compromise in Detail
Friday, June 10th, 2011
Popular Posts
-
The design of GPS is based partly on similar ground-based radio-navigation systems, such as LORAN and the Decca Navigator developed in the...
-
I thought this was pretty cool, not because I like graffiti but because of the technology used by Nick Newcomen, who during the spring and s...
0 comments:
Post a Comment