Skip Links

Does RSA SecurID have a US gov't-authorized back door?

RSA SecurID breach continues to raise security questions

By , Network World
March 23, 2011 07:08 AM ET

Network World - Does the RSA SecurID two-token authentication system include a back door that was built in at the request of the U.S. government in exchange for letting RSA export SecurID?

"RSA cut a deal with the government to provide a back door for surveillance work," say some industry analysts, who asked not to be identified. They say the trade-off let RSA export SecurID. RSA today would not confirm or deny this, indicating it was limiting its discussion of SecurID since last week's disclosure of a network breach where "certain information" about SecurID was stolen.

ANALYSIS: Did hackers nab SecurID's secret sauce?

"Certainly possible," says security technology expert and author Bruce Schneier. "Back in the '80s, this sort of thing was popular. Remember key escrow? Remember the back door in Lotus Notes? SecurID is old enough that the NSA would have asked and that export might have hinged on it." But Schneier says he has no direct knowledge of that.

Others say they simply find it too hard to believe such a back door exists in RSA SecurID.

"It's highly unlikely," says Jon Oltsik, principal analyst at Enterprise Strategy Group. If that were true, however, anyone using SecurID would be at risk, he notes. But Oltsik reiterates he considers the idea of a back door in SecurID to not be credible.

RSA indicated that legal constraints brought about by the disclosed breach are holding it back from confronting this question of a back door to SecurID.

But if there is any back door, the implications are particularly troubling since RSA last week admitted, without providing much detail, that "certain information" related to SecurID was stolen by a stealthy attack into RSA's network. Art Coviello, RSA executive chairman, referred to the attack as an "Advanced Persistent Threat," a term meaning a stealthy hacker break-in to steal sensitive corporate information.

The industry analysts, who asked that their names not be disclosed, say it's their firm conviction that RSA SecurID has a back door available for government surveillance with the involvement of the National Security Agency (NSA). They believe this is the main reason why RSA made such cryptic statements last week about the breach RSA says is tied specifically to the product SecurID, the two-factor authentication system based on servers and tokens to generate one-time passwords.

Many are, in fact, bewildered by the statement Coviello made on March 17: "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."

Many are finding RSA's statements about whether SecurID is vulnerable or not hard to understand. Yesterday, RSA issued another "RSA SecurCare Online Note" to SecurID customers as an "update" to "help customers further assess their risk and prioritize their remediation steps in relation to this event."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News