For those of you with a vested interest in cyber security, you probably have already read about the recent RSA hack at EMC, which exposed client data and potentially reduced the effectiveness of SecurID tokens. (http://www.engadget.com/2011/03/18/rsa-hacked-data-exposed-that-could-reduce-the-effectiveness-o/) Pretty embarrassing and ironic, coming from a security giant. The more important questions to consider here are why? And how?
The RSA technology employs the One Time Password (OTP) approach to strong authentication. Let's take a closer look at the difference between the use of OTP and Smart Cards.
The RSA secure ID tokens use the time synchronous method to produce an OTP. The RSA mechanism consists of a back-end authentication server called RSA Authentication Manager (or ACE Server) and a client hardwaretoken that displays a unique OTP every 30 to 60 seconds.The client token is factory-encoded with a unique 128 bit seed and built-in clock. For this time synchronous OTP mechanism to work, theseed for each client token is loaded into the RSA authentication manger and the clocks between the server and tokens are synchronized. When a user tries to authenticate by entering the OTP displayed in the token, the RSA Authentication manager computes the OTP for that instance of time to authenticate the user.
Now, let's go back to what happened at EMC. The unknown variable in the situation, or at least the unrevealed variable, is the nature of the data that was stolen. If the stolen data is related to the seeds that are associated with the tokens, then this is a pretty dire and serious situation, as several soft tokens are readily available that can generate the OTP given that they have the client and server seed. In this scenario, the only protection available to the users with the compromisedseed is the PIN\password that is also required during the authentication process.However, this negates the two-factor authentication approach, making the company's security, well, less secure. Also, some customers don't need to append the pin\password to the OTP, leaving them completely vulnerable and exposed by such a situation. In this case, the only solution would be to replace the client hardware tokens - both expensive and time-consuming.
So what's the real solution? The Smart Card - a more secure two-factor authentication mechanism based on Public Key Infrastructure (PKI) authentication. The PKI authentication mechanism is based on asymmetric key encryption consisting of a public/private key pair and provides the added benefits of email encryption, digital signatures, encrypted file systems (EFS), web authentication and encryption (SSL).
As the name implies, the private key is known only to the user and is used to encrypt data that can only be decrypted by the corresponding public key, published to everyone in the organization. The private key is generated on the smart card and never leaves the smart card, making it useful for non-repudiation.A trusted certificate authority issues and publishes the public keys in the form of digital certificates, which also cannot be forged. The only way a PKI system can be compromised is if the certificate authority is compromised, which even in the worst case scenario, is much easier and less expensive to fix since existing smart cards can be used and a new set of certificates can be issued within a matter of hours.
Now contrast this scenario with the OTP security breach, which might takemillions of dollars and multiple weeks to resolve. What would you call the smarter solution?
categorized under: Credential Mechanisms, Cyber Fraud, Cyber Security, Identity Credentials, Security Passwords
View All 
