0

I'm very much fascinated by RSA SecurID and similar 2-factor systems.

I have been through many articles including this one: https://security.stackexchange.com/questions/9584/can-the-numbers-on-rsa-securid-tokens-be-predicted

My question is, since RSA's algorithm uses a "seed" and the numbers therefore generated are in a "series".

What if I generated a token on the secure device when the server asked for it and instead of using that token I pressed the button again to generate another token? Would this not cause a "mismatch" in the series running on the device and on the server?

It would have been easier if the logic just depended on the clock and device serial or so but since there are seed and random numbers involved, I wonder what happens if you skip a token or two?

Thanks.

Community
  • 1
  • 1
A Sharma
  • 626
  • 1
  • 5
  • 13
  • Pressing the button doesn't generate a new token, it just turns on the display so you can see the current token (for those devices that have a button at all). – Nick Bastin Jun 16 '14 at 17:56

2 Answers2

3

As I understand it, the SecurID tokens don't use a "rolling counter" — the token is generated solely from the device serial and the current time. Also: in the RSA SecurID tokens I've seen (admittedly limited), the user doesn't press a button to generate the token; instead the token is constantly visible on the screen. Thus the token generated doesn't get out of sync (in the sequence) with the server, except for the possibility of clock drift on the token side (usually servers use NTP and so their clock drift is negligible).

However, the typical solution for clock drift problems is to store a "drift" parameter on the server, on a per-token basis. This drift parameter can be updated manually (for maximal security but also maximal pain) or one can check the surrounding intervals on the server side. For example, if I log in now, you might check the server's current sixty-second interval, the previous one, and the next one all for validity, and if the previous/next are valid, you store that drift for the token.

On the other hand, there is an algorithm that suffers from the problem you've described: the HMAC-based One-time Password Algorithm. It uses a rolling counter that is supposed to be synchronized on both the server and the token. So, if you have a HOTP-based authenticator and you press the token generate button many times, you will cause it to fall out of sync, and manual intervention is required by the server administrator.

A similar solution can be enacted as above: check the next few values of the counter, say counter+1, counter+2, counter+3, etc., and store that as a 'drift' parameter. Depending on how far out one checks, the token could eventually go out of sync, if it were pressed repeatedly.

A variant of HOTP that fixes is the problem is the time-baesd version, which uses a "time counter" instead of a real counter. This is what Google Authenticator uses. Here, you still have the clock drift problem, with the same solution as above.

Reid
  • 18,959
  • 5
  • 37
  • 37
0

If you are fascinated by the OTP systems then you should read RFC 4226 which describes HMAC-Based OTP algorithm and RFC 6238 which describes TIME-Based OTP algorithm as these two algorithms are used by the most of the OTP solutions available today.

If you are interested also in the recent developments in the area of two factor authentication then you should visit website of FIDO Alliance and take a look at their specs too.

jariq
  • 11,681
  • 3
  • 33
  • 52