18 January 2001

From: Kingpin <kingpin@atstake.com>
To: "'cypherpunks@toad.com'" <cypherpunks@toad.com>
Subject: Initial Cryptanalysis of the RSA SecurID Algorithm
Date: Thu, 18 Jan 2001 16:04:38 -0500

Abstract:

Recently, I.C. Wiener published a reverse engineering effort of the RSA SecurID algorithm. There were few speculations on the security ramifications of the algorithm in I.C. Wiener's posting, so this note is an effort to touch upon areas of concern. We have verified that I.C. Wiener's released version of the proprietary algorithm is accurate by comparing it with our own prior reverse engineering of the same algorithm.

Due to the time sensitivity imposed by the public release of RSA's proprietary algorithm, we felt it necessary to release this brief to help people better understand and work toward reducing the risks to which they might currently be exposed. The risk profile of token devices changes when they are implemented in an uncontrolled environment, such as the Internet, and the research in this paper aims to educate and to help manage those risks. The primary concern is the possiblity to generate a complete cycle of tokencode outputs given a known secret, which is equivilent to the cloning of a token device.

This short paper will examine several discovered statistical irregularities in functions used within the SecurID algorithm: the time computation and final conversion routines. Where and how these irregularities can be mitigated by usage and policy are explored. We are planning for the release of a more thorough analysis in the near future. This paper does not present methods of determining the secret component by viewing previously generated or successive tokencodes.

Direct link to full paper:

http://www.atstake.com/research/reports/initial_securid_analysis.pdf

Additional reports:

http://www.atstake.com/research/reports/index.html

-kp