Note subject change. On Thu, Mar 28, 2013 at 9:36 PM, Steven Bellovin <[email protected]> wrote: >> All excellent, well articulated points. I guess that means that >> RSA Security is an insane company then since that's >> pretty much what they did with the SecurID seeds. > > Well, we don't really know what RSA stores; it's equally plausible > that they have a master key and use it to encrypt the device serial > number to produce the per-device key. But yes, that's isomorphic. > However... > > What Jon left out of his excellent analysis is this: what is the > purpose of having such a database? For Apple, which pushes a host > or cloud backup solution, there's a lot less point; if a phone is > dying, you restore your state onto a new phone. They simply have no > reason to need such keys. With RSA, though, it's a different story. > They're shipping boxes with hundreds or thousands of tokens to > customers; these folks need some way to get the per-token keys into > a database. How do they do that? For that matter, how does RSA > get keys into the devices? The outside of the devices has a serial > number; the inside has a key. How does provisioning work? It's > all a lot simpler, for both manufacturing and the customer, if > the per-device key is a function of a master key and the serial > number. You then ship the customer a file with the serial number > and the per-device key. When I look at p. 64 of > ftp://ftp.rsa.com/pub/docs/AM7.0/admin.pdf that sounds like what > happens: there's a per-token XML file that you have to "import" > into your system.
Yes; that's exactly what you do. And RSA has told us that the do not have a master key used to generate them but that they are generated randomly. They told us that DB that was snatched contained the seeds and serial #s. If a master key and serial # was in itself sufficient it doesn't make a lot of sense why they also store the seeds. Of course, they could have been lying, but if that's the case, it's an RSA conspiracy theory because I've heard the same story from two very independent sources at RSA who work in separate divisions. > Translation: at some point in every token's life, RSA has to have > a database with the keys. Do they delete it? Is it available > to help customers who haven't backed up their own database properly? > I don't know the answer to those questions; I do claim that they > at least have a reason, which Apple apparently does not. Long ago, they apparently deleted it, at least after a short period of time, once they were confident that the fobs were delivered and the seeds from the XML file imported. But then they started to get calls from customers who had lost the XML file or had their local DBs munged and needed the seeds to restore usage to their fobs. Ultimately this lead to RSA replacing the customer's fobs (at some cost to the customer). RSA claims that they saw an opportunity to save their customers grief and according to them, starting offering their SecurID customers a free service of keeping a backup of their customer's serial #s and seeds. What I was told that this originally was part of the contract and the customer could opt-out of the free backup service if they desired. But at some point, following numerous contract revisions they apparently stopped even mentioning this service in their purchase contracts. (One RSA person speculated that this was probably because so few customers had opted-out and all the customers who availed themselves of the service were so happy their current fobs weren't toast that someone in sales figured it would just be a good idea to provide the service to all of their customers.) Now, as I heard the story, RSA originally did everything right and they had completely air-gapped their DB and web interface to it and their CSRs had to use a manual swivel chair process to manually copy the seed into an email destined to the customer who missed the seeds for their fobs. However, eventually there was pressure from their customers to speed up the process of seed recovery and they removed the air gap. The rest is history... a few well-targeted spear phishing attacks with a 0day Adobe Flash exploit in an Excel spreadsheet and eventually we were introduced to the new APT acronym. > Btw: I've never been convinced that what was stolen from RSA was, > in fact, keys or master keys. Consider: when someone logs in > to a system with an RSA token, they enter a userid, probably a PIN, > and the code displayed on the token. This hypothetical database > or master key maps serial numbers -- not userids, and definitely > not PINs since RSA wouldn't have those -- to keys. How does an > attacker with this database figure out which userid goes with > which serial number? > Mostly answered above. We were also told that there was a separate database of customers and SecurID serial #s that was not air-gapped. What was not clear is whether or not all individual serial #s were there. It seems unlikely, but for bulk shipments, RSA usually ships consecutive blocks of serial #s. (At least they do that for big customers who order 1000 at a time.) BTW, no "tinfoil hat"... I was actually being sarcastic, not only with the initial "RSA insanity" comment (stupidity != insanity), but especially the last comment with Apple. However, I will admit that I didn't think through how stupid it sounded, especially in retrospect to Jon's remarks about Apple's net worth vs. some country's GDPs. So very dumb, yes, but my paranoia doesn't stretch *that* far. (Boy, we really need a simple emoticon for sarcasm.) -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
