jump to navigation

Software SecureID: Sacrificing Security for Convenience September 29, 2013

Posted by Jiaqi Wu in Security.

The original concept of using a password to authenticate a user is suitable for protecting information of minor criticality. However sometimes a single secret key is not enough. This is where two factor authentication comes in. The concept is like your security deposit box at the bank. Both your key and the bank’s key are required to open the safe. If your key happened to be stolen, it would not be enough to steal your valuables. The same applies if the bank’s key were stolen. This increases security by several orders of magnitude.

Another form of two factor authentication is the RSA SecureID token. I was first introduced to this at the age of 8 when I saw my dad working from home. It was a curious small grey keychain with the build quality of a McDonald’s Happy Meal toy. I always wanted to know how it worked when I was younger. It had no wires and the numbers kept changing. Somehow the computer knew what the number was. As I grew old enough to have my own SecureID keychain, my line of questioning matured. Instead of needing to know how it worked, which was simple enough, I wanted to know how to break it.

Nowadays there is also the Soft Token which is a software implementation of the same SecureID dongle. I used this form for VPN access to my work for a while. However it seems that as a software implementation it is by nature more vulnerable to attack. As any software developer would do, the implementation of Soft Token uses existing widely available technologies. The software token information is actually stored in a SQLite 3 database file inside of the user’s computer. The database file is readable but the important values are encrypted using two factors of protection. The first is that values are tied to the hard drive’s serial number. The second is that they are encrypted using Window’s Data Protection API (DPAPI). According to the SensePost article, DPAPI can be broken offline. Also, the hard drive’s serial can be stolen from a machine as well. The article clearly shows how to copy all of this information and decrypt the keys in order to produce the same Soft Token values on two machines simultaneously.

The software token is clearly a matter of convenience. It is a small device that is easily lost or forgotten. Having a software implementation makes it readily available wherever you have your computer. However, having a software implementation also makes exploitation experimentation that much easier. The question is, how much do you value that bit of convenience over proper security?


[1] behrang (2012, May 17). A closer look into the RSA SecureID software token. Retrieved Sept. 29, 2013 from http://www.sensepost.com/blog/7045.html.



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: