RSA SecurID

[three_sixteen]

It's magic! Just got my token today. Never had the chance to play around with this stuff before. What kind of battery is in it that can last 3 years though?

 

[nessus]

Standard Lithium watch battery.

 

[three_sixteen]

Huh

 

[BillLeeLee]

Ooo SecurID.

Do you guys use the appliance, or is it just a box that you guys set up to manage all the tokens?

Do you have to brand spanking new SID800 tokens (the ones with the USB port)? Or the more water resistent SID700 (no USB port)? Or the even older keyfob (black rectangular)? Tokens are also supposed to last 5 years until they expire (I'm sure you've seen the expiration date on the token).

Plus I hope you guys do actual two-factor authentication, and not the TOKENCODE_ONLY mode. That would be rather...pointless.

 

[three_sixteen]

Ooo SecurID.

Do you guys use the appliance, or is it just a box that you guys set up to manage all the tokens?

Do you have to brand spanking new SID800 tokens (the ones with the USB port)? Or the more water resistent SID700 (no USB port)? Or the even older keyfob (black rectangular)? Tokens are also supposed to last 5 years until they expire (I'm sure you've seen the expiration date on the token).

Plus I hope you guys do actual two-factor authentication, and not the TOKENCODE_ONLY mode. That would be rather...pointless.

Yeah, we use the two-factor authentication. It's the SID700 token. I was just checking out their website and thought it was a shame that we don't use the SID800 tokens. Ah well.

Mine is good for 3 years (expires in 2009). I'm not sure about the appliance -- I'm not famaliar with this thing. RDP into a Windows 2003 box, it authenticates through RSA and then you authenticate into windows. I would wager a guess that we don't use the appliance. How can I tell?

 

[BillLeeLee]

Well, if you know where the comp is located, that would be the easiest way to tell (the appliance is a 1U rack-mount machine with the words RSA SecurID on the front and a twist knob.

Otherwise, if you know the machine's hostname...you can try accessing its web interface through port 8098. That brings up the authentication page to log into the appliance web administration portal. This is only for appliances. Regular boxes don't have that portal.

Of course, it really doesn't matter, the appliance is just a set top box with all the necessary stuff built in. I just like them since I think they look so cool.

 

[three_sixteen]

Well, if you know where the comp is located, that would be the easiest way to tell (the appliance is a 1U rack-mount machine with the words RSA SecurID on the front and a twist knob.

Otherwise, if you know the machine's hostname...you can try accessing its web interface through port 8098. That brings up the authentication page to log into the appliance web administration portal. This is only for appliances. Regular boxes don't have that portal.

Of course, it really doesn't matter, the appliance is just a set top box with all the necessary stuff built in. I just like them since I think they look so cool.

Ah, I do have access to that web-portal to reset pins and whatnot. It seems like we have the appliance then.

I'll have to hunt around our server room and see if I can't find it!

 

[three_sixteen]

Just noticed I had the model number wrong.

It's the SD600

 

[BillLeeLee]

Wow, an SD600 (the old keyfob). They don't even make those in the US anymore (all of those come from Ireland now). Those are built pretty rugged too, there are stories about them surviving major disasters. I think the one that people like to tell now are that a bunch of keyfobs were submerged for about a month in the aftermath of Hurricane Katrina, and when they were recovered, they were working just fine.

http://www.rsasecurity.com/node.asp?id=1311

I use the SID800 from work. There's an even newer model out but it's in the form of a pinpad. The SID800 is where it is at though (can be used for sign-on manager, remembering settings and such, as well as standard authentication. It is the jack of all trades token).

 

[three_sixteen]

Wow, an SD600 (the old keyfob). They don't even make those in the US anymore (all of those come from Ireland now). Those are built pretty rugged too, there are stories about them surviving major disasters. I think the one that people like to tell now are that a bunch of keyfobs were submerged for about a month in the aftermath of Hurricane Katrina, and when they were recovered, they were working just fine.

http://www.rsasecurity.com/node.asp?id=1311

I use the SID800 from work. There's an even newer model out but it's in the form of a pinpad. The SID800 is where it is at though (can be used for sign-on manager, remembering settings and such, as well as standard authentication. It is the jack of all trades token).

I saw that thing, it looks pretty sweet. We have a couple of SD200s laying around too that look pretty cool. I think it's funny how they describe them as a really thin store-it-anywhere solution when its as thick as like 5 credit cards.

What does the USB port on the token do? Is it like removable storage or does it interface with the VPN authentication somehow?

 

[BillLeeLee]

The USB port is used for things like RSA Sign On Manager, where you can insert it into a workstation's USB port to provide log on credentials (the information is kept in an encrypted certificate on the embedded flash memory inside the token).

It can also be used for things like remembering log in information for other sites or software, as well as for other authentication services (through X.509 certificates).

I only use it for the token codes though.

 

[atomiser]

the sid800 is part token part smartcard.

theres a bit of memory in them, accessed via the usb interface, which can store digital certificates, usernames and passwords etc. they also interface with browsers and vpn clients to autofill this information in. also acts as a software token so you only need to enter your pin.

there quite handy, i couldnt get them working how i wanted them to in my environment though.

 

[three_sixteen]

The USB port is used for things like RSA Sign On Manager, where you can insert it into a workstation's USB port to provide log on credentials (the information is kept in an encrypted certificate on the embedded flash memory inside the token).

It can also be used for things like remembering log in information for other sites or software, as well as for other authentication services (through X.509 certificates).

I only use it for the token codes though.

Aw, thats too bad.

What happens if the token/server get out of sync?

 

[BillLeeLee]

You can resynchronize a token with the server. Inevitably the clocks between the server and a token will drift (the token drifts a very small amount from true UTC every year, something on the order of +/- 5 seconds out of sync).

Also, every time you authenticate with the token, the server determines the current offset value from normal of the token, so if you authenticate frequently with it, clock drift shouldn't be too much of a problem. If it drifts substantially (but not outside of a set interval) you can enter next tokencode mode, where the server asks you to authenticate with two consecutive token codes to resynchronize the token with the server.

If it drifts way off base (depending on how big the interval is that the administrator has set), then you'll have to get the admin to resync the token.

Of course, if the server clock is changed wildly, then it's advisable to set the server clock back to the correct time, otherwise you'll have hundreds/thousands of employees or otherwise who can't log in. (And it is strongly and highly recommended the server be set to GMT/UCT, since the tokens are set to that during production).

 

[three_sixteen]

Eeeeeenteresting.