Security breach at 2FA provider RSA

March 22, 2011 — You may well have read recently about a security breach at 2FA provider RSA where hackers gained access to “seed data”. Commentators believe that the attack on RSA compromised RSA’s copy of customer token seeds.

CRYPTOCard would like to reassure its user community that the problem is specific to RSA, and that CRYPTOCard’s solution is not vulnerable to this sort of attacks.
CRYPTOCard is secure
CRYPTOCard has always maintained that sharing token seed records with the manufacturer represents a significant risk for two reasons:

1. It violates one of the tenets of security: compartmentalization. Regardless of the precautions, a security breach at the manufacturer has serious implications for all of its customers.

2. Two-factor authentication has always been predicated on something only you have (the token – implicitly the token seed record) and something you know (the PIN). Where seed records are maintained by the manufacturer, this form of 2FA is more accurately described as something you share and something you know.
In a CRYPTOCard solution
Seed records for CRYPTOCard tokens are generated and inserted into the tokens by each customer’s authentication server. Seed records for CRYPTOCard tokens are not shared with the manufacturer.
Every time a hardware token is re-initialized or a software token issued, the customer’s authentication server automatically generates and inserts a new, seed record into the token.
All seed records are AES-256 encrypted and stored only in the customer’s authentication server.
Tokens may be re-initialized and issued as often as desired.
Furthermore, CRYPTOCard’s approach has been to offer tokens capable of generating OTPs of up to 8 characters, containing digits, upper/lower case letters and punctuation. In this way, every customer can determine their security posture with respect to PINs and Passcode strength and change that posture at any time. By having the token generate complex OTPs, CRYPTOCard customers have the advantage of confidence in the credential while avoiding the pitfalls of relying on users for complex PIN management.
What happened at RSA?
The BBC had a good summary of what happened at RSA: “Hackers have stolen data about the security tokens used by millions of people to protect access to bank accounts and corporate networks. RSA Security told customers about the “extremely sophisticated cyber attack” in an open letter posted online. The company is providing “immediate remediation” advice to customers to limit the impact of the theft. It also recommended customers take steps, such as hardening password policies, to help protect themselves.”
Source: BBC News
What this means for RSA customers?
Given the murky situation, respected security experts NSS Labs have issued a statement exploring what the security breach means for RSA’s customers. NSS States:

“The locksmith’s secrets may have been stolen, and the integrity of RSA’s 2-factor authentication compromised. This knowledge breaks the 2-factor model since the attacker can now create the string required for successful authentication, obviating the need to know the password and PIN. It will allow an attacker to login as a trusted user with corresponding access privileges.”
Source: NSS Labs

For more information on the breach, please click here