[cryptography] RSA SecurID breach (was "Re: Here's What Law Enforcement Can Recover From A Seized iPhone")
Kevin W. Wall
kevin.w.wall at gmail.com
Thu Mar 28 22:13:35 EDT 2013
Note subject change.
On Thu, Mar 28, 2013 at 9:36 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>> All excellent, well articulated points. I guess that means that
>> RSA Security is an insane company then since that's
>> pretty much what they did with the SecurID seeds.
> Well, we don't really know what RSA stores; it's equally plausible
> that they have a master key and use it to encrypt the device serial
> number to produce the per-device key. But yes, that's isomorphic.
> What Jon left out of his excellent analysis is this: what is the
> purpose of having such a database? For Apple, which pushes a host
> or cloud backup solution, there's a lot less point; if a phone is
> dying, you restore your state onto a new phone. They simply have no
> reason to need such keys. With RSA, though, it's a different story.
> They're shipping boxes with hundreds or thousands of tokens to
> customers; these folks need some way to get the per-token keys into
> a database. How do they do that? For that matter, how does RSA
> get keys into the devices? The outside of the devices has a serial
> number; the inside has a key. How does provisioning work? It's
> all a lot simpler, for both manufacturing and the customer, if
> the per-device key is a function of a master key and the serial
> number. You then ship the customer a file with the serial number
> and the per-device key. When I look at p. 64 of
> ftp://ftp.rsa.com/pub/docs/AM7.0/admin.pdf that sounds like what
> happens: there's a per-token XML file that you have to "import"
> into your system.
Yes; that's exactly what you do. And RSA has told us that the do
not have a master key used to generate them but that they are
generated randomly. They told us that DB that was snatched
contained the seeds and serial #s. If a master key and serial #
was in itself sufficient it doesn't make a lot of sense why they
also store the seeds. Of course, they could have been lying,
but if that's the case, it's an RSA conspiracy theory because
I've heard the same story from two very independent sources
at RSA who work in separate divisions.
> Translation: at some point in every token's life, RSA has to have
> a database with the keys. Do they delete it? Is it available
> to help customers who haven't backed up their own database properly?
> I don't know the answer to those questions; I do claim that they
> at least have a reason, which Apple apparently does not.
Long ago, they apparently deleted it, at least after a short
period of time, once they were confident that the fobs were
delivered and the seeds from the XML file imported.
But then they started to get calls from customers who had
lost the XML file or had their local DBs munged and needed
the seeds to restore usage to their fobs. Ultimately this lead
to RSA replacing the customer's fobs (at some cost to the
customer). RSA claims that they saw an opportunity to
save their customers grief and according to them, starting
offering their SecurID customers a free service of keeping a
backup of their customer's serial #s and seeds. What I was
told that this originally was part of the contract and the
customer could opt-out of the free backup service if they
desired. But at some point, following numerous contract
revisions they apparently stopped even mentioning this
service in their purchase contracts. (One RSA person
speculated that this was probably because so few customers
had opted-out and all the customers who availed themselves
of the service were so happy their current fobs weren't toast
that someone in sales figured it would just be a good idea
to provide the service to all of their customers.)
Now, as I heard the story, RSA originally did everything
right and they had completely air-gapped their DB and
web interface to it and their CSRs had to use a manual swivel
chair process to manually copy the seed into an email
destined to the customer who missed the seeds for their
fobs. However, eventually there was pressure from their
customers to speed up the process of seed recovery and
they removed the air gap. The rest is history... a few
well-targeted spear phishing attacks with a 0day Adobe
Flash exploit in an Excel spreadsheet and eventually
we were introduced to the new APT acronym.
> Btw: I've never been convinced that what was stolen from RSA was,
> in fact, keys or master keys. Consider: when someone logs in
> to a system with an RSA token, they enter a userid, probably a PIN,
> and the code displayed on the token. This hypothetical database
> or master key maps serial numbers -- not userids, and definitely
> not PINs since RSA wouldn't have those -- to keys. How does an
> attacker with this database figure out which userid goes with
> which serial number?
Mostly answered above. We were also told that there was
a separate database of customers and SecurID serial #s
that was not air-gapped. What was not clear is whether
or not all individual serial #s were there. It seems unlikely,
but for bulk shipments, RSA usually ships consecutive
blocks of serial #s. (At least they do that for big customers
who order 1000 at a time.)
BTW, no "tinfoil hat"... I was actually being sarcastic, not only
with the initial "RSA insanity" comment (stupidity != insanity),
but especially the last comment with Apple. However, I will admit that
I didn't think through how stupid it sounded, especially in
retrospect to Jon's remarks about Apple's net worth vs.
some country's GDPs. So very dumb, yes, but my paranoia doesn't
stretch *that* far. (Boy, we really need a simple emoticon for
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents." -- Nathaniel Borenstein
More information about the cryptography