[cryptography] Here's What Law Enforcement Can Recover From A Seized iPhone

Steven Bellovin smb at cs.columbia.edu
Thu Mar 28 21:36:45 EDT 2013


> All excellent, well articulated points. I guess that means that
> RSA Security is an insane company then since that's
> pretty much what they did with the SecurID seeds.

Well, we don't really know what RSA stores; it's equally plausible
that they have a master key and use it to encrypt the device serial
number to produce the per-device key.  But yes, that's isomorphic.
However...

What Jon left out of his excellent analysis is this: what is the
purpose of having such a database?  For Apple, which pushes a host
or cloud backup solution, there's a lot less point; if a phone is
dying, you restore your state onto a new phone.  They simply have no
reason to need such keys.  With RSA, though, it's a different story.
They're shipping boxes with hundreds or thousands of tokens to
customers; these folks need some way to get the per-token keys into
a database.  How do they do that?  For that matter, how does RSA
get keys into the devices?  The outside of the devices has a serial
number; the inside has a key.  How does provisioning work?  It's
all a lot simpler, for both manufacturing and the customer, if
the per-device key is a function of a master key and the serial
number.  You then ship the customer a file with the serial number
and the per-device key.  When I look at p. 64 of
ftp://ftp.rsa.com/pub/docs/AM7.0/admin.pdf that sounds like what
happens: there's a per-token XML file that you have to "import"
into your system.

Translation: at some point in every token's life, RSA has to have
a database with the keys.  Do they delete it?  Is it available
to help customers who haven't backed up their own database properly?
I don't know the answer to those questions; I do claim that they
at least have a reason, which Apple apparently does not.

Btw: I've never been convinced that what was stolen from RSA was,
in fact, keys or master keys.  Consider: when someone logs in
to a system with an RSA token, they enter a userid, probably a PIN,
and the code displayed on the token.  This hypothetical database
or master key maps serial numbers -- not userids, and definitely
not PINs since RSA wouldn't have those -- to keys.  How does an
attacker with this database figure out which userid goes with
which serial number?



		--Steve Bellovin, https://www.cs.columbia.edu/~smb







More information about the cryptography mailing list