All About SecurID
by magus (securid@terrorists.net)
Right off the bat, I'd like to note - I wrote this article from memory. It may contain factual inaccuracies. Feel free to point them out constructively. Thanks.
Well, I've been wanting to write about SecurID and such for a while, and this spare hour or two on Greyhound is as good a time as any, I suppose... [/blatant geek plug]
For those of you who are scratching your heads and wondering "WTF is a SecurID? Did you just make it up so you'd have something to write an article about?' - the answer is yes! Ain't no such thing, it's all a massive hoax.
Heh, well no, they do exist, but I like the hoax idea [grin]. (Along those lines, don't worry about seemingly nonsensical comments in this article. Most of them are jokes only seven geeks worldwide will get. If one of these is you, email me!)
When most people speak of SecurID, they probably mean the SecurID tokens made by Security Dynamics (www.securitydynamics.com) and used by many corporations including America Online (one could write an article just about how AOL uses SecurID, since they have a fairly custom implementation. Don't they, Tatiana?), Pacific Bell, Bell Canada (I think), several universities, and countless corporations that nobody but their stockholders and their Security Dynamics account executive have ever heard of.
These tokens are little more than a blue piece of plastic with an LCD screen and SecurID in impressive red letters. If you don't have one, obtain one. They make great conversation pieces even if you don't use them for anything.
The screen displays up to eight numbers, but I've only seen six of those ever be used. These numbers rotate every 30, 45, or 60 seconds depending on the token and the server. The left-hand corner of the screen shows a series of bars which disappear one by one to let you know how close you are to the next rotation (number change). The purpose, of course, is to authenticate yourself to someone's server somewhere.
When you are challenged at login, you need to enter the current number on the SecurID display (or the most recent one; there's a grace period of a few seconds) and sometimes a PIN. Some setups will require a PIN, some won't. It doesn't really add all that much security, IMHO, since you're already being challenged for a login, password, and SecurID code - if someone has all those, you're already pretty badly off.
If someone has a gun to your head, you can increment your PIN by one, which is called a "duress PIN" and you'll still be logged in. However, you'll generate an Error Type 666: Gun Proximity Fault or some such in the security log. Woohoo.
Conversely, if you ever point a gun at someone and ask for their PIN, and they're not the silly secretary type who will faint dead away instantly (i.e., they seem to have some presence of mind), slap them a couple times and decrease their PIN by one. Assuming you're somewhere it's legal to point guns at people and slap them around, of course (i.e., you're a Reno PD officer having a bad day).
If someone enters a code and somehow gets knocked off the system, they must wait for their next rotation - they can't login again using that same code unless it's generated twice in a row, which shouldn't happen. I have seen tokens roll over to 555555, 333333, etc... I stand ready with a camera to photograph a token reading 666666...
Each token has an eight-digit serial number stamped on the back, right next to "Please return to Security Dynamics... yadda yadda." This is used to track the token in the Access Control Electronics (ACE) server, enable/disable it, unbind it from someone's account, etc., etc.
Each token also has a self-destruct date. Contrary to the popular beliefs of Mission: Impossible junkies, it will not detonate a small thermite charge on this date - it merely ceases to work and obstinately displays Sd Inc on its display, or merely flashes a single dot, or both.
Dead SecurIDs have been known to start doing something with strong electrostatic discharge - they count, but not in the way they are supposed to. They are fairly resistant to such discharge, although I've only tested on the older cards and the newer key fobs.
If anyone has tried HERF'ing one, I'd like to hear the results. Some people have theorized that they also self-destruct if opened - I maintain it's just really hard to open one without breaking it [grin]. Then again, I've only tried this on older cards.
Speaking of which... I meant to cover this earlier. SecurIDs come in various form factors. All are strong, rugged electronics. Do not bend or immerse your SecurID in water. Please turn your SecurID in to your SecurID administrator rather than dropping it into the Cracks of Doom to unmake it. Do not feed or tease Happy Fun Ball.
The cards are the classics... these are metal, strong, heavy items (not by themselves, but a stack of seven could sunder a skull if wielded by a strong and virtuous geek) about the size of a credit card and two or three times as thick. They are tempting to put in your back pocket, against all admonitions. We know it's tempting. So very tempting. Please don't. We guarantee they will crack within a day. Security Dynamics won't replace them if the display is cracked or blackened. No matter how much you try to convince them it's somehow their fault.
The next model is the funky squarish key fob. I love these. They're built like tanks. Mine has been dropped, run over, chewed on by toddlers, and thrown in anger. It's still a happy cute little SecurID. It does basically the same thing as every other SecurID. The case is plastic rather than metal.
After this is the sleek sexy key fob. If the squarish one looks like it belongs in Buck Rogers, these should be in Star Trek: TNG. I'd provide more modern references, but I haven't watched TV in years!
These are also plastic, and identical to the Buck Rogers SecurID, just sexier. They can be run over by a light fiberglass imported bimbo box, but seem to be more breaky in general. Note that these are admittedly unscientific tests [grin] :::resumes dropping cards out of sequentially higher floors until forced to stop:::
One of the more obscure SecurIDs is the SecurID-enabled PCMCIA card modem. These are manufactured by Motorola and have no display - they send login data directly to ACE when this option is enabled. ACE must have a special module loaded to be able to support these. These are fun when everyone else at the geek meet has generic communications gear. Unless you run into someone with an STU-III phone. Then you're outmatched, and need to crumble into a pile of geeky dust.
There are two other models I know of: smart cards and cards with keypads. I don't own either, alas, so if this sentence is still here by the time you read this article, I wasn't able to find out anything either. Woe is me.
There's also "SoftID," which is merely a piece of code which generates codes, same as a token.
Is SecurID somehow insecure? Of course!
Let me know if you find out how so. The obvious answer is the usual answer in such questions - who controls the access control? Do you like your geek? Does your geek like you? The latter matters more. What happens if the machine running ACE goes down? Do logins go unchallenged like AOL's original plans for SecurID implementation called for? Do you really trust a security device manufactured by a company that won't open its design for public review? Do you not care and just can't resist these sexy pieces of plastic?
The ACE server itself runs on a variety of operating systems, including Windows NT, HP-UX, and others. I have a copy lying around somewhere for someone extremely qualified to pick apart if they'd like to contact me. Ditto for the authentication tokens themselves.
This is by no means a complete work - it is merely an overview of SecurID technology as generated by my memory, which is admittedly failing as a result of my fool brain being unable to adapt itself to run off caffeine instead of glucose.
If anyone wants technical details on administering ACE or something similarly specific, or merely wishes to bash me for a harebrained error, feel free to contact me.