Is RSA listening?

Seldom has there been so much parsing, of so few words, by so many, as there has been since RSA's cryptic disclosure last week that "some" information on its SecurID two-factor authentication products had been compromised in an intrusion.

All that the company has said so far about the compromised data, at least publically, is that it could "potentially" be used to "reduce the effectiveness" of SecurID when used as part of a "broader attack." Beyond that, RSA has left it entirely to the industry to try and figure out what exactly that combination of words might mean.

Not surprisingly, many see the company's alert as an admission that something is seriously broken with SecurID and that the technology simply cannot be trusted any longer. Some are even asking whether companies should stop using SecurID entirely, at least until RSA explains what's going on.

It's up to RSA at this point to either challenge those conclusions or to inform SecurID customers exactly what risks they face by their continued use of the technology. 

Here's a sampling of what some analysts and experts think might have happened:

Security analyst Steve Gibson argued that the most reasonable conclusion to reach is that an RSA database mapping the public serial numbers of each SecurID token to its secret symmetric key has been compromised. Access to such information would allow attackers to generate pass codes for individual SecurID tokens.

"If the [public-serial-number-to-secret-key-mapping database] had NOT been compromised, there would be zero danger to users of RSA's SecurIDs," Gibson postulated. "But we know at least that the danger is not zero," so that must mean at least some of the key information was disclosed, he noted.

Gartner analyst Mark Diodati said that there are plenty of "real world implications" if the attackers managed to steal information on the "seeds" that determine the sequence of 6-digit numbers generated by each RSA SecurID token.

"If all of the seeds have been stolen, then the attacker can mount a generalized attack on any SecurID authentication" Diodati warned in his blog post.

Bruce Schneier, security guru and designer of the Blowfish encryption algorithm, thinks there are two likely scenarios if attackers have indeed compromised SecurID. One is that attack was carried out by a sophisticated organization that wants the information for a specific and limited purpose. The other is that the data was stolen for conventional criminal purposes and is likely to be sold to others.

In either case RSA is "probably pretty screwed if SecurID is compromised," Schneier theorized. "Those hardware tokens have no upgrade path, and would have to be replaced," he says. That's likely to be a huge task for RSA considering that over 20 million users currently use SecurID to authenticate themselves to networks and applications.

Steven Bellovin, a professor in the computer science department at Columbia University, offered a detailed technical look at how a technology like SecurID could be compromised. But he then went on to argue that it is highly unlikely that RSA, as a security vendor, would have allowed such compromises to happen.

Instead, what's more likely is that one of the myriad backend administrative products necessary to use SecurID was weak and allowed intruders into a key database, Bellovin said. "An attacker who could penetrate these administrative systems doesn't have to worry about key generation or cryptanalysis; they could simply steal existing keys or insert new ones of their own," he wrote. "The crypto may be strong, but what about the software?"

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon