On 11/01/2013 22:57, Robert Hajime Lanning wrote:
RSA soft token generates the code using the serial number/PIN/time as
input. Always gives you a code.
not quite, with the ones I've used anyway.
The user's PIN is only entered as input for the login password, along with
the "random" value generated by the token (real, or soft. Actually, RSA did
used to have a token model where the PIN was keyed into the token, and
hashed to form a response, but it still didn't confirm the PIN: it merely
avoided it being sent in plain text across an unsecured network connection.)
So you cannot offline brute force the PIN. It's maintained and verified by
the RSA Authentication Manager server (nee SecurID ACE server).
Also I can tell you, from experience, that a duplication of a disk with a
soft token installed leaves you without a working soft token when using the
new disk (but obviously, if you know what's going on and prepare ahead of
time, there are ways to still access the seed. However, theft of a backup or
copying the datafile won't get you in.)
Even with the possible compromise in 2011 of ACE token seeds, it was always
claimed that they were generated automatically, loaded into the physical
tokens, and then written to disk and packaged. So new batches of tokens
should pose no problem.
Physical tokens won't always help prevent misuse though - this excellent
story was recently disclosed -
http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/
James.
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
