Hello everyone,
I made an X25 firewall in a past life (read another company), that was
using heavily SecurID for authentication, and I hope I clould clarify some
points.
>I believe that the SecurID server looks through a +/- 3 minute window.
IOW, if the SecurID card is set to change it's token every minute, and
the server does not see the correct token right away, it looks in a 3
minute window for THAT token, and *then* sychs up the clocks. If it is
outside of that 3 minute window it looks into a +/- 10 minute window. IF
it is in the +/- 10 minute window, then the server will issue another
challenge to the card. Is this correct so far? <<
More or less, yes.
It would be +/- 1 min at first attempt, then +/- 3 minutes, then +/- 10
minutes (but that would activate the "next PRN mode")
There's another mode that will open a +/- 20 min, it's when the card is in
new PIN mode.
If you're outside that windows, too bad.....
Yes, time is a CRITICAL factor when you use SecurID.
>>The token is transmitted to the server in the clear, and is therefore
snoopable is the server is not on it's own subnet.<<
If it is an ACE/Server, no. The dialog between the client and the server is
encrypted....
>>A hacker then has the token and has a window of time in which to
use it.<<
No, if the PRN was valid and accepted, then that PRN is "burnt"
>>My question is this; Are the Tokens 1 time only? <<
Yes !
>>How secure is the card itself? Hackers have broken Europe's DSS by
hacking the access cards' PROMs and cloning them. <<
The card is tamper proof. There's nothing to open (no battery case to
start), and if you try to cut it, or to remove the plastic cover, it'll
scuicide (and then display SD INC on the LCD panel)
The seed of the card is not stored in a PROM, but in RAM.
>>Why are the tokens submitted in the clear?<<
On an Ace/Server setup, they are not, dialog is encrypted.
Of course, it's encrypted only between the client & server, so if you're
telneting to a client, then it's not encrypted from your computer to the
client.
If you want to avoid such a situation, then you can use PINPAD cards, where
your PIN is not in clear form.
Anyway, having someone's PIN is not enough to be authentified, you also
need the card itself, and then it's the user respnsability to alert the
admin that his token is missing / stolen .
The "beauty" of the SecurID concept is its simplicity. I've been teaching
to 50+ users how to swap from their "normal" login to "SecurID" login in
less than 5 minutes.
I do agree that a challenge/response card could be more secure, but if it's
too complex to handle, users will not use it.
Henri
|
|
