Dana Epp's ramblings at the Sanctuary: SecurID Token Auth Emulator?


« Track Back Now Enabled \| Main \| Windows PostThreadMessage() Arbitrary Process Killing Vulnerability » October 05, 2003 SecurID Token Auth Emulator? Last week I talked about the fact there was a nice OpenSSH patch for SecurID , but that it wasn't that useful without an Ace/Server. Well, it got me to thinking. About three years ago I wrote an Ace/Server emulator that used part of an old algorithm I found on BugTraq to be able to authenticate my tokens through a Java server. It didn't use Ace/Agents and was only designed to authenticate access to the Java app. Worked really well. I never released it publically out of respect for RSA and for the fact that I was an RSA partner. Well, I have been rethinking the idea of releasing a similar token validation emulator. Now, typically if I ask a question on the blog most people email me privately because they don't want to register their name, email etc. I respect your privacy, and I am ok with that approach. However, I am hoping what I am about to ask will get some public responses so I may gauge accordingly. I am thinking of porting my Java code to Perl and posting it up on Sourceforge. The idea would be to create a pure perl server that could allow for small businesses like my own to use the powers of RSA's two factor authentication without the need to spend thousands upon thousands of dollars for an Ace/Server, and who do not need such functionality of a real Ace/Server. The idea would be to make an emulator that could expose functions similar to an Ace/Agent (or perhaps even use an Ace/Agent) to authenticate to the Perl Server and expose 2 factor auth to OpenSSH and Apache. The feature-set would be limited to: New Pin Mode Token Resync (via Next Token) for Timing Drift Normal Passcode Token import (via RSA diskette) Token Revocation To maintain cross platform use and minimize the installation complexity I would use flat files for config and logs. This means it should work unaltered in most Unix environments, and on Windows. This also lets me limit the feature set in a way to provide a clean upgrade path to a real Ace/Server. I think its only fair that if you are going to really take advantage of RSA's technology in your environment that you buy their product for the advanced functionality. These restrictions would be put on the server: Limited set of tokens. (Maybe MAX of 25 tokens) Would not support RSA's new AES-based tokens Logs would stay in a flat format to allow for basic auditing and searching The perl will be functional and fast, but will not be optomized like the Ace/Server Now to my questions for the group. Quite frankly, my concern is that I do not wish to cause myself grief with RSA with such open source code. I decided to not release my code years ago because the Ace/Server was RSA's bread and butter, and I didn't feel right in providing a free alternative which could be abused by others. However, now that RSA has released new AES-based tokens and phasing out the old RSA proprietary tokens, this seems to be an optimum time to reuse some older tokens before they die out. I have emailed RSA twice and no one wishes to respond on how the company would feel about such a code release. Until I hear otherwise, I am going to guess that no one knows how to respond to this, and perhaps they are just waiting to see what the response is. So, with that in mind my questions to you: Would you install and use a a free perl token auth-emulator? Do you own any SecurID tokens? Would you buy any/more SecurID tokens to use this? Would you use it with OpenSSH? Would you use it with Apache? Would you use it with other Ace/Agents? Do you think there is value in releasing this code? Do you think RSA will pull a SCO and start chasing you (or me) down for a license? I would really appreciate any comments, feedback and discussion from the group of people that read my blog. Again, I am fine knowing most of you would rather email me privately about this, but if you can consider posting in the comments so others can see your views. I look forward to hearing the thoughts of the community on this. Posted by SilverStr at October 5, 2003 07:44 AM \| TrackBack Comments While my answer will be "No" to those 10 questions (because I don't have any tokens), I have one question for you. What license would you put on it? To host under SF you must have an Open Source one: http://sourceforge.net/register/ Posted by: Wim at October 6, 2003 07:01 AM Not sure which open source license I would be using. Posted by: SilverStr at October 6, 2003 07:49 AM It might go down to the fact that if authid is still the bread and butter of RSA (new and old tokens) would they go after you. I tried to think up a couple of analogies, but couldn't think of one. It's not a source code issue (ie: ms going after you for putting windows98 source up) but is a bread and butter thing (ie: samba reverse engineers protocols, but smb is not MS bread and butter). If RSA isn't going to answer, maybe email them the java code, or just put it out and see what happens. Maybe they don't care? Maybe they don't want to bother with something as vauge as "I have code to do stuff", ya know? Posted by: Arcterex at October 6, 2003 12:21 PM We currently use a homebrew RADIUS implementation using Defender tokens on Linux. It handles authentication for an ISDN RAS system. We have a project underway to convert this system to SecurID, but we recently ran into a wall. We can't buy SecurID tokens without an ACE/Server license!? We never had any trouble purchasing Defender tokens without a software license. Is there a way to get these tokens without the software? Otherwise, what would be the use of such a thing? Posted by: Bicster at June 2, 2004 10:13 AM what you mentioned is exactly what I've been looking for ! We have a SecurID customer who use our security solution (on linux) but is really pissed that we need to install another box just to run the ace/server. If we can authenticate the securID within our solution, that'll be excellent. btw, the customer has bought the ace/server license so RSA should be happy too. Please contact me. Thanks. Posted by: TTG at July 26, 2004 11:24 PM I would be interested in this. My justification for doing this is: ACE/Server sucks. Real hard. It may have been ok in the 1980's but in 2004 the software and userinterface are both a clunky pile of shit. When you upgrade 5.0 to 5.2 you need to get a new license or your "Advanced" license becomes a "Basic" license and loses much of it's functionality. No support contract - no new license. There are dozens of undocumented and unpatched bugs in ACE/Server that RSA are well aware of but won't release fixes for or publish details of the workarounds. No support contract - no information. So you'll be wanting a support contract then! That'll be 10 grand please. I don't want or need the complexity of ACE/Server, I could easily write an authentication module in perl to interface with some other auth server (eg RADIUS) and do away with RSA altogether. All we need is the algorithm - do the world a favour and release it into the public domain as a protest at RSA's ripoff pricing. Posted by: RSA Guru at August 18, 2004 03:08 AM		My 5 Favorite Books Writing Secure Code Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind My 5 Favorite Papers Smashing the Stack Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides Archives December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 GeoURL

October 05, 2003

SecurID Token Auth Emulator?