Hello all,
Could anyone explain to me in simple programmatic terms how these RSA key dongles work? I know Blizzard has them for WoW and paypal as well as some of the trading sites.
Thanks!
+10
A:
The fob has a clock and a serial number that is used as a seed for a PRNG. When you hit the "show me a code" button, the fob displays a number that is the product of that timestamp and the serial number run through the PRNG. The server knows your fob's serial number and time, and does the same operation. If your codes match, you're authenticated.
You can calculate the previous/next N values on the server end to account for clock skew.
Ry
2009-02-04 19:56:14
PRNG = pseudorandom number generator
joeforker
2009-02-04 19:56:49
The PayPal fob uses one of the digits for synchronization, giving the server another way of compensating for clock skew.
joeforker
2009-02-04 19:57:41
thanks. I thought of that, then added a link; your comment beat me to the punch, though. :)
Ry
2009-02-04 19:58:09
The same method is used by British Energy on their remote-working key fobs for secure data.
James Burgess
2009-02-04 19:58:25
I turned it into a wiki - feel free to edit the answer directly to include your comments.
Ry
2009-02-04 19:59:02
Hmmm, nope... not a Wiki as far as I can see.
James Burgess
2009-02-04 22:03:05
strange. I checked the "community wiki" option.
Ry
2009-02-05 06:01:14
A:
Programmatic terms aren't necessary. Just imagine two pieces of hardware (your dongle and something at the company) that generate the same numbers at the same regularly scheduled intervals. It would be virtually impossible to guess what the number is due to some proprietary algorithms, so if the number you type in (or is automatically sent by the dongle) matches the number at the server, your identity is validated.
At least with the dongle I have, you also have to supply a pin known only by you and the server. So, in order to be authenticated you need both something physical and something in your head. That combination is pretty hard to fake. Even if someone gets the dongle, unless they know your pin it's worthless. And if they know your pin, that information is worthless without the dongle.
Bryan Oakley
2009-02-04 19:59:31
+1
A:
Security Now! episode 103 talks about how they work. (That link is to the show notes, but there's a link at the top of the page to the audio podcast.)
Basically, the key fob is synchronized with a server and they're both seeded to generate the same sequence of pseudo-random numbers. The server knows it's you if you input the right number at the right time.
Bill the Lizard
2009-02-04 20:10:57
A:
Hey,
Sorry to revive a dead thread, but I am attempting to find out more about the RSA key fob authentication process focusing more on the actual programming side of things. We implement RSA key fob security at my company, but the code used to perform the authentication is older (site is written in classic asp, and the RSA object was written in c++). The site also uses an antiquated C++ ISAPI filter to handle request authorization and I know I will be tasked to rewrite it in asp.net (including the RSA parts of it into a C# library if possible). I would like to preemptively start researching the actual process. If anyone has any code examples (preferably in C#) that would be amazing.
Thanks!