Under the hood: SecurID fob: single-chip safety net - Embedded.com

Under the hood: SecurID fob: single-chip safety net

Computer security. These two simple words mask the complexity and gravity of a modern-day issue that is critical to both computer users and the computer industry as a whole. As companies rely more on far-flung network access and computer-based storage and retrieval of sensitive information, the need for trustworthy user authentication has grown significantly.

For a full archive of articles and related On-Demand seminars, click here

Even in our personal lives, a mind-numbing level of sensitive and private information around banking, credit and other financial data has steadily drifted out to the Internet in one form or fashion. While the individual is important, the even larger risks tend to revolve around corporations serving those individuals–or one another–in a networked environment. Big Business means Big Dollars, and determined criminals spend Big Time trying to enter the ring surreptitiously.

So what does all that have to do with this installment of Under the Hood? It sets the stage for a peek at one of the world's more widely used techniques to foil the computer intruder: the hardware token. Planet Analog site editor Bill Schweber, always on the lookout for interesting widgets to analyze, found an RSA SecurID fob left on an Amtrak New York-to-Boston train run. With no acknowledging owners for the fob on board, Bill followed directions not to return the security device to RSA, and rather sent it along to Portelligent as a morsel for teardown analysis.

The SecurID 600 device from RSA Security (part of EMC Corp.) is a small, disconnected fob that can hook to a key ring or fit in a user' s pocket. The outwardly simple function of the device is to generate a six-digit code that combines with a user-remembered PIN to allow two-level authentication for computer login.

While we all have various forms of memorable passwords, these on their own are vulnerable. If a would-be attacker knows enough about you, that seemingly robust combination of your dog's name and your birthdate gets pretty fragile. “Rover0859” might look random on the surface, but to the committed cyber-criminal, it's probably a walk in the park.

This is where the SecurID comes into play. The fob (token) displays a six-digit code generated by running a unique 64-bit symmetric seed key contained in the hardware token through a hashing function. The server side of the equation knows the key for each issued token and can reverse the hash to verify the user in combination with the user PIN. Of course, this is of little use if it is a static string, which is sure to be compromised with time.


Powered by a small internal battery, and by way of an internal real-time clock, the SecurID generates a new code every 60 seconds over the fob's lifetime, with the host-side solution synchronously calculating this moving target to stay in lockstep with the token. New codes are seemingly random, absent knowledge of the token key and the hashing function; but to the informed server host, there is only one right answer for every minute of the day.

The fob's serial number and the date-time stamp derived from the real-time clock are seemingly additional ingredients to the code creation. But I'm getting way out of my depth already, and it's time to see what the hardware looks like.

Suffice it to say that the fob and the server generate and expect a new code respectively in one-minute intervals to layer security on top of the standard user-generated password.

Bill's seemingly simple gift to Under the Hood quickly revealed some inner complexity, namely getting at the electronics that make it tick. The two-piece plastic case was not particularly difficult to split, but once I got it open, I pulled out a solid slab of epoxy-cased circuitry–an obvious first step to make tampering more difficult.

The CR2032 coin-cell battery and simple segment monochrome LCD display were quite visible, even in block form (why didn't they use black epoxy?), but the rest of the story was entombed in resin. Having faced such obstacles before, I tried a few tricks that allowed extraction of the circuit board in largely intact form to see what was going on.

Not too surprisingly, there isn't much going on in at all in terms of basic component complexity.

A single chip, wirebonded and glob-topped to the circuit board, represents the only active element of circuitry. Combined with about a dozen passive discretes and a crystal oscillator, the 3.1 x 3.2-mm die performs the needed functions of real-time clock (for synchronizing), control (of the LCD), storage (of keys and code) and cryptography (for hashing of the token key and other data bits). The die markings did not reveal the manufacturer, and a custom device is likely in the mix.

The crystal is from Micro Crystal of Switzerland and almost certain to be the standard 32.768-kHz oscillation frequency needed for real-time clock applications. The LCD–simple enough to be from many suppliers–is interconnected to the board with a heat-sealed carbon/polyester ribbon cable.

The die itself contains obvious blocks of memory for holding the seed key and serial number along with other programmable data pieces. Some state-machine code is also probably flashed into memory as well, and an external set of contacts (hidden under a stick-on label) is used for programming. The balance of chip area is dedicated to the clock and hardware hashing logic. Total gate count appears pretty modest given the clear use of large-geometry process technologies for the die.

Perhaps the biggest surprise was the apparent lack of a self-destruct mechanism for embedded memory; Portelligent has seen more-sophisticated secure microcontrollers in things as simple as game controllers where proprietary code was being masked. But lacking the hacker-crypto knowledge, I can't say how serious this issue might be to token integrity. Combined with the rolling-code attributes and PIN overlay, the solution is likely quite robust in a practical view of things.

The little leatherette fob holder is an intriguing part of the solution as well. What appears to be plated shield cloth lines the sleeve's internal surface, a possible countermeasure to any sniffing of emitted LCD drive signals that might allow tracking of displayed codes.

In any case, the device is cheap to build and effective enough for RSA to control the lion's share of the market for two-layer hardware authentication solutions. For those with a head for such things, a more-detailed discussion of the cryptography and encryption used can be found online (www.rsa.com).

For a hardware guy like me, the SecurID 600 is just another device in the rich field of one-chip wonders.

David Carey is president of Portelligent (www.teardown.com), a CMP company. The Austin, Texas, group produces teardown reports and related industry research on wireless, mobile and personal electronics.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.