[cryptography] Here's What Law Enforcement Can Recover From A Seized iPhone
smb at cs.columbia.edu
Thu Mar 28 21:36:45 EDT 2013
> All excellent, well articulated points. I guess that means that
> RSA Security is an insane company then since that's
> pretty much what they did with the SecurID seeds.
Well, we don't really know what RSA stores; it's equally plausible
that they have a master key and use it to encrypt the device serial
number to produce the per-device key. But yes, that's isomorphic.
What Jon left out of his excellent analysis is this: what is the
purpose of having such a database? For Apple, which pushes a host
or cloud backup solution, there's a lot less point; if a phone is
dying, you restore your state onto a new phone. They simply have no
reason to need such keys. With RSA, though, it's a different story.
They're shipping boxes with hundreds or thousands of tokens to
customers; these folks need some way to get the per-token keys into
a database. How do they do that? For that matter, how does RSA
get keys into the devices? The outside of the devices has a serial
number; the inside has a key. How does provisioning work? It's
all a lot simpler, for both manufacturing and the customer, if
the per-device key is a function of a master key and the serial
number. You then ship the customer a file with the serial number
and the per-device key. When I look at p. 64 of
ftp://ftp.rsa.com/pub/docs/AM7.0/admin.pdf that sounds like what
happens: there's a per-token XML file that you have to "import"
into your system.
Translation: at some point in every token's life, RSA has to have
a database with the keys. Do they delete it? Is it available
to help customers who haven't backed up their own database properly?
I don't know the answer to those questions; I do claim that they
at least have a reason, which Apple apparently does not.
Btw: I've never been convinced that what was stolen from RSA was,
in fact, keys or master keys. Consider: when someone logs in
to a system with an RSA token, they enter a userid, probably a PIN,
and the code displayed on the token. This hypothetical database
or master key maps serial numbers -- not userids, and definitely
not PINs since RSA wouldn't have those -- to keys. How does an
attacker with this database figure out which userid goes with
which serial number?
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography