RSA SecurID SID800 Token vulnerable by design

Daniel Carosone dan at geek.com.au
Fri Sep 15 02:32:04 EDT 2006 

On Thu, Sep 14, 2006 at 02:48:54PM -0400, Leichter, Jerry wrote:
> | The problem is that _because there is an interface to poll the token for
> | a code across the USB bus_, malicious software can *repeatedly* steal new
> | token codes *any time it wants to*.  This means that it can steal codes
> | when the user is not even attempting to authenticate....
>
> I think this summarizes things nicely.

Me too.  While less emphatic, my reaction to Vin's post was similar to
Thor's.. that it seemed to at least miss, if not bury, this point.

But let's not also forget that these criticisms apply approximately
equally to smart card deployments with readers that lack a dedicated
pinpad and signing display.  For better or worse, people use those to
unlock the token with a pin entered on the host keyboard, and allow
any authentication by any application during a 'session', too.

> Pressing the button supplies exactly the confirmation of intent that
> was lost.

And further, a token that includes more buttons (specifically, a
pinpad for secure entry of the 'know' factor) is vulnerable to fewer
attacks, and one that permits a challenge-response factor for specific
transaction approval is vulnerable to fewer again (both at a cost).
Several vendors have useful offerings of these types.

The worst cost for these more advanced methods may be in user
acceptance: having to type one or more things into the token, and then
the response into the computer.  A USB connected token could improve
on this by transporting the challenge and response, displaying the
challenge while leaving the pinpad for authentication and approval.

But the best attribute of tokens is they neither use nor need *any*
interface other than a user interface. Therefore:

 * it works anywhere with any client device, like my phone. I choose
   my token model and balance user overhead according to my needs.

 * it is simple to analyse.  How would you ensure the above ideal
   hypothetical USB token really couldn't be subverted over the bus?

By the time you've given up that benefit, and done all that analysis,
and dealt with platform issues, perhaps you might as well get the
proper pinpad smartcard it's starting to sound like, and get proper
signatures as well, rather than using a shared-key with the server.

--
Dan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20060915/952324d0/attachment.pgp>

More information about the cryptography mailing list