Tag Archives: rsa

Distributed Credential Protection

RSA recently announced their Distributed Credential Protection (DCP) technology which should help address the impact of passwords leakage/theft when the system where they are stored gets compromised. They accomplish that by splitting up stored credentials across different systems.

In its current implementation it uses 2 servers. 1 server (BLUE) stores the password XOR to a random number and another server  (RED) stores that random number.
When a user wants to authenticate it uses his password to XOR it with his own Random number. It then sends the transformed password to the BLUE server and the new random number to the RED server.
The BLUE and RED servers then compare the stored password with the one the user just provided. At this stage, I guess it must communicate to the RED server to get the corresponding random numbers.

This process is given an overview THERE

I think it is a great idea, and it leverage what is called Threshold Cryptography, which is “the art of chopping a secret into little bits”. A few things come to mind though:

– Why only using 2 servers, this could be expanded to use multiple servers. Each with different security settings/OS thus making it harder to compromise

– Why only applying this to passwords, what about documents/files?

– To verify the password is correct, the servers must be communicating at some point to get the XOR password and the Random number used. If that’s the case, then if the BLUE server gets compromised what stops the attacker to miss-use the communication/protocol and leverage the compromised BLUE server to gain information from the RED server, thus removing the need to compromise that server too? I could not get enough information at this time on how RSA verifies the passwords are valid, so I would hope they have thought about that in their design.

– Again, this will not stop the number one issue with password. Human weakness. (post-it, simple passwords, eavesdrop, man in the middle/coffee shop, etc)

It is definitely an interesting technology, which I hope to learn more about soon!

What could be the impact of the RSA breach

In the past few months there seems to have been a rise in what is called Advance Persistant Threats (APT).
Wikipedia actually has a short but comprehensive description of what it means HERE.

An article on SC Magazine describes what seems to have been an APT against RSA affecting the security of their two factor authentication products.
It is not clear exactly what has been stolen at the moment, but RSA has admited that some sensitive information has been leaked/downloaded.

By reading some of the security community reactions (Help net security article) there seems to be 3 main concerns:
1. Security breach related to their pseudo random number generation, their product security would then be reduced to the security of the user’s passcode. Usually a simple 4 digits PIN.
2. The extend of their customer data that was stolen, could some of that data have an adverse effect of their customers (i.e.: password, name, addresses, etc)
3. What could be the security impact on the RSA 2 factor product users

The first concern is another example that security through secret is never good, and I am surprised RSA would only rely on some “secret fixed seeds” for their token code generation.

The second concern is typical of any data breach from a reseller/vendor who keeps large volume of customers data. The nature of the data and how it was protected will be of importance for RSA’s reputation.

Finally, the 3rd concern is what is of most significance. The common security community message seems to be: no need to panic.
Although I agree, I would add “but do not ignore it”.

It is important to remember that 2 factor authentication are used to improve the access security controls.
If the level of security it provides is reduced to a single factor authentication then there is an increased security risk towards what you were trying to protect in the first place.
This is even worse if that 2 factor authentication was the sole authentication method, as compromised tokens codes would then leave you with a very small 4 pin passwords.

Also, with todays popularity of “in the cloud” services many companies have replaced the physical security element where access was only accessible while on premises or from the company network, with a 2 factor authentication security control:
The “somewhere you are” requirement being replaced with a “something you have” requirement.

A compromised of the RSA token codes generation could have a very negative security impact on companies who are using RSA tokens to protect access to their cloud services.
They would indeed end up with portal accesses only protected by a userid and a 4 pin digits.
Now, if that is the case, this would be something to worry about and act upon.