Has RSA hack sown seeds of token resistance?

The recent high-profile cyber attack on the security specialist has raised questions about the effectiveness of two-factor authentication

In February this year RSA, the security arm of information infrastructure firm EMC, announced that it had been the victim of a cyber attack and that critical information may have been stolen from its servers.

At the time it was thought that this information could have included the “seed” data that helps to generate the random numbers used in the company’s two-factor authentication tokens. Anyone in possession of the seed would technically be able to use it (in combination with basic username and password information) to log in to the private networks and services of users of RSA’s secure token product.

In May, it seemed likely that this had happened, as the private corporate network of military hardware manufacturer and RSA customer Lockheed Martin experienced a significant disruption.

Security experts often cite the inherent weakness of username and password combinations as being a major cause of cyber attacks and data loss for enterprises. Two-factor authentication, such as RSA’s tokens and their pseudo-randomly generated numbers, was supposed to be a simple fix to that problem.

But do they resolve the problems they were designed to, and of the several types of token available, which is the most secure?

Julian Lovelock, senior director at secure identity solution provider ActivIdentity, explained that there are several different ways in which a secure token can produce the random number used with two-factor authentication.

“Some tokens [including those made by RSA] use a time-based algorithm. Some say there are issues with this as everyone in the world knows what the current time is. This means that if you can get to the key of a token and then you know the algorithm and the current time, you can generate the changing number.”

He added that other tokens use a counter or event (such as the number of times the user presses a button to display the random number) rather than time. The supposed improvement here is that while everyone knows the time, few people can know how many times an individual user presses a button.

However, Graham Titterington, principal analyst at research and intelligence firm Ovum, said that choosing the most appropriate method of number generation used in two-factor authentication is not one of the more important considerations end users will have when choosing how to secure their assets.

Perhaps more important is managing the key files related to the tokens. Key files are used to generate the random numbers.

And ActivIdentity’s Lovelock said that management of the seeds, or keys, is critical to a secure token strategy.

“If the token keys are compromised then the security of the token becomes compromised. The way you manage those keys is what underpins the security of the whole system.”

He added that tokens should be initialised locally by administrators, as sending CDs out to employees to do it themselves opens up the possibility of those CDs falling into the wrong hands. Initialisation involves attaching a unique label to the token enabling it to be identifiable to relevant systems and applications.

“Don’t leave CDs of seed files lying around, and ensure those files are secure in transit. The most secure model is one in which the tokens are initialised locally by the customer,” said Lovelock.

In addition to the real threat posed by insecure token technology, there is the perceived threat. In short, how has user confidence been affected by the RSA breach?

Lovelock said he has seen customers react to the news in three ways.

“Some customers are saying they think this will blow over and that they plan to stay with the vendor they’ve got. Some have decided to keep using secure tokens but change vendor. And some have lost confidence in tokens and are looking at smart cards as an alternative technology,” Lovelock said.

He added that ActivIdentity has snapped up a couple of RSA’s customers since the breach, but would not say who.

Titterington, however, was more upbeat about RSA, despite its problems.

“Now that RSA has suffered this breach I’m sure it will double its efforts to ensure it isn’t hacked again,” he said.