> All excellent, well articulated points. I guess that means that > RSA Security is an insane company then since that's > pretty much what they did with the SecurID seeds.
Well, we don't really know what RSA stores; it's equally plausible that they have a master key and use it to encrypt the device serial number to produce the per-device key. But yes, that's isomorphic. However... What Jon left out of his excellent analysis is this: what is the purpose of having such a database? For Apple, which pushes a host or cloud backup solution, there's a lot less point; if a phone is dying, you restore your state onto a new phone. They simply have no reason to need such keys. With RSA, though, it's a different story. They're shipping boxes with hundreds or thousands of tokens to customers; these folks need some way to get the per-token keys into a database. How do they do that? For that matter, how does RSA get keys into the devices? The outside of the devices has a serial number; the inside has a key. How does provisioning work? It's all a lot simpler, for both manufacturing and the customer, if the per-device key is a function of a master key and the serial number. You then ship the customer a file with the serial number and the per-device key. When I look at p. 64 of ftp://ftp.rsa.com/pub/docs/AM7.0/admin.pdf that sounds like what happens: there's a per-token XML file that you have to "import" into your system. Translation: at some point in every token's life, RSA has to have a database with the keys. Do they delete it? Is it available to help customers who haven't backed up their own database properly? I don't know the answer to those questions; I do claim that they at least have a reason, which Apple apparently does not. Btw: I've never been convinced that what was stolen from RSA was, in fact, keys or master keys. Consider: when someone logs in to a system with an RSA token, they enter a userid, probably a PIN, and the code displayed on the token. This hypothetical database or master key maps serial numbers -- not userids, and definitely not PINs since RSA wouldn't have those -- to keys. How does an attacker with this database figure out which userid goes with which serial number? --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
