Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
RSA SecurID
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Description == [[File:RSA SecurID Token Old.jpg|thumbnail|RSA SecurID token (older style, model SD600)]] [[File:SecureID token new.JPG|thumbnail|RSA SecurID token (model SID700)]] [[File:RSA SecurID SID800.jpg|thumbnail|RSA SecurID (new style, SID800 model with smartcard functionality)]] The RSA SecurID authentication mechanism consists of a "[[security token|token]]"—either hardware (e.g. a [[key fob]]) or software (a [[software token|soft token]])—which is assigned to a computer user and which creates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded almost random [[Key (cryptography)|key]] (known as the "seed"). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server<ref> {{cite web | url = http://docs.oracle.com/cd/E12530_01/oam.1014/e10356.pdf | title = Oracle® Access Manager Integration Guide | publisher = [[Oracle Corporation]] | date = August 2007 | quote = [...] the RSA ACE/Server®, which has been renamed to the Authentication Manager. }} </ref>) as the tokens are purchased.<ref name="totp">{{Cite news|url=http://tools.ietf.org/html/draft-mraihi-totp-timebased-00|title=RFC ft-mraihi-totp-timebased: TOTP: Time-Based One-Time Password Algorithm|newspaper=Ietf Datatracker|date=May 13, 2011|archive-date=November 25, 2012|access-date=September 30, 2011|archive-url=https://web.archive.org/web/20121125073714/http://tools.ietf.org/html/draft-mraihi-totp-timebased-00|url-status=live}}</ref> On-demand tokens are also available, which provide a tokencode via email or SMS delivery, eliminating the need to provision a token to the user. The token hardware is designed to be [[tamper resistance|tamper-resistant]] to deter [[reverse engineering]]. When software implementations of the same algorithm ("software tokens") appeared on the market, public code had been developed by the security community allowing a user to emulate RSA SecurID in software, but only if they have access to a current RSA SecurID code, and the original 64-bit RSA SecurID seed file introduced to the server.<ref>{{Cite web|url=https://seclists.org/bugtraq/2000/Dec/459|title=Bugtraq: Sample SecurID Token Emulator with Token Secret Import|website=seclists.org}}</ref> Later, the 128-bit RSA SecurID algorithm was published as part of an open source library.<ref>{{Cite web|url=https://sourceforge.net/p/stoken/wiki/Home/|title=stoken / Wiki / Home|website=sourceforge.net}}</ref> In the RSA SecurID authentication scheme, the seed record is the secret key used to generate [[one-time password]]s. <!-- Previously this article has OTP capitalized (using a piped Wikilink), for no good reason. That would make "OTP" a proper noun, which in this context it is not. Just because something has an acronym does not mean its expansion should be capitalized. --> Newer versions also feature a USB connector, which allows the token to be used as a [[smart card]]-like device for securely storing [[Public key certificate|certificates]].<ref>{{Cite web|url=https://www.rsa.com/resources/datasheets/|archiveurl=https://web.archive.org/web/20081113005859/http://www.rsa.com/products/securid/datasheets/9651_SID800_DS_0908-lowres.pdf|url-status=dead|title=Data Sheets|archivedate=November 13, 2008}}</ref> A user authenticating to a network resource—say, a dial-in server or a firewall—needs to enter both a [[personal identification number]] and the number being displayed ''at that moment'' on their RSA SecurID token. Though increasingly rare, some systems using RSA SecurID disregard PIN implementation altogether, and rely on password/RSA SecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, authenticates a user by computing what number the token is supposed to be showing at that moment in time and checking this against what the user entered. On older versions of SecurID, a "duress PIN" may be used—an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication.<ref>{{Cite web |url=http://www.process.com/tcpip/tcpware57docs/User_Guide/ch14.htm#E53E27 |title=TCPware V5.7 User's Guide ch14.HTM |access-date=2013-03-20 |archive-url=https://web.archive.org/web/20120301071802/http://www.process.com/tcpip/tcpware57docs/User_Guide/ch14.htm#E53E27 |archive-date=2012-03-01 |url-status=dead }}</ref> Using the duress PIN would allow one successful authentication, after which the token will automatically be disabled. The "duress PIN" feature has been deprecated and is not available on currently supported versions. While the RSA SecurID system adds a layer of security to a network, difficulty can occur if the authentication server's clock becomes out of sync with the clock built into the authentication tokens. Normal token clock drift is accounted for automatically by the server by adjusting a stored "drift" value over time. If the out of sync condition is not a result of normal hardware token clock drift, correcting the synchronization of the Authentication Manager server clock with the out of sync token (or tokens) can be accomplished in several different ways. If the server clock had drifted and the administrator made a change to the system clock, the tokens can either be resynchronized one-by-one, or the stored drift values adjusted manually. The drift can be done on individual tokens or in bulk using a command line utility. RSA Security has pushed forth an initiative called "Ubiquitous Authentication", partnering with device manufacturers such as [[IronKey]], [[SanDisk]], [[Motorola]], [[Freescale Semiconductor]], Redcannon, [[Broadcom]], and [[BlackBerry]] to embed the SecurID software into everyday devices such as USB flash drives and cell phones, to reduce cost and the number of objects that the user must carry.<ref> RSA Security to enable ubiquitous authentication as RSA SecurID(r) technology reaches everyday devices and software – M2 Presswire </ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)