Have you ever came across these terms or devices, “Key-fob” or “RSA SecurID” or “Hardware Token” etc. People working for IT firms or Banks or who needs to access client computer for work mostly would have heard these device names. These devices generate a one-time passcode each time when requested which gets expired automatically after some time period. Within this time the user must enter this code to access that specific machine or computer or server. Some devices gave a push button to request every time and some continuously display passcode which keeps on changing in time intervals.
RSA SecurID with push button | Image Source: linux-magazine.com
So, why they are so interesting to write about?
These devices do not connect to client server in any way.
NO BLUETOOTH or NO WI-FI or NO RF SIGNAL or NO INFRARED SIGNAL or NO INTERNET CONNECTIVITY
Then, How the server knows the passcode which is user about to type?
If we think that there are a set of codes repeating again and again, then how the server knows the expiration time?
Let’s explore the mystery behind this technology….
These kinds of devices for two-factor authentication are called “Disconnected Tokens”. Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a keyboard or keypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification. Disconnected Tokens now available in market are using different algorithms. Fido Alliance’s FIDO token uses AES to generate OTP and the Other Token by FIDO uses Public Key Encryption to Authenticate Users. RSA SecureID uses RSA algorithm with 128 bit encryption along with a seed value that is unique and is attached to each SecureID , it produces a 6 digits unique passkey that changes every 60 or 30 seconds making each passkey unique.
RSA SecurID with no push button | Image Source: theaviationist.com
Breaking into simpler terms, whatever the device might be there are two standard ways to build such a device:
- Time-based. The device has a secret key K (known only to the device and to your bank). When you press the button, The device computes F(K, T) (where T is the current time) and outputs it as a 6-digit code.Your client machine, which also knows K, can compute the same function. To deal with the fact that the clocks might not be perfectly synchronized, the server will compute a range of values and test whether the 6-digit code you provide falls anywhere in that range. In other words, the server might compute F(K, T-2), F(K, T-1), F(K, T), F(K, T+1), F(K, T+2), and if the code you provide matches any of those 5 values, the server accepts your login.
- Sequence-based. The device has a secret key K (known only to the device and to your client machine). It also contains a counter C, which counts how many times you have pressed the button so far. C is stored in non-volatile memory on your device. When you press the button, the device increments C, computes F(K, C), and outputs it as a 6-digit code. This ensures that you get a different code every time.The server also tracks the current value of the counter for your device, and uses this to recognize whether the 6-digit code you provided is valid. Often, the server will test a window of values. For instance, if the last counter value it saw was C, then the server might compute F(K, C+1), F(K, C+2), F(K, C+3), F(K, C+4) and accept your 6-digit code if it matches any of those four possibilities. This helps ensure that if you press the button once and then don’t send it to the server, you can still log on (you aren’t locked out forevermore). In some schemes, if there is a gap in codes (e.g., because you pressed the button a few times and then didn’t send the code to the server), you will need to enter two consecutive valid codes before the bank will log you on.
In these two algoriths “F” is a function which generates random values and this function is executed by both server and also the key-fob.
In this logical and disconnected way, people who use SecurID’s are actually logging into client machines.
Hardware token by SafeID | Image Source: deepnetsecurity.com
- Answer by Nishant Kumar Pandey for the question “Citibank: How Disconnected Tokens Work” in Quora.
- “Key Fob” definition by searchsecurity.techtarget.com.
- A topic on “Security Token” in Wikipedia.
- A topic on “Time Based One-time Password Algorithm” in Wikipedia.
- A topic on “Hash-based message authentication code” in Wikipedia.
- A topic on “RSA SecurID” in Wikipedia.
- Answer by D.W. for the question “How does HSBC’s “Secure Key” actually work?” in security.stackexchange.com.