Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

As far as I understand it, the hardware key-fob two-factor systems such as RSA S

ID: 649403 • Letter: A

Question

As far as I understand it, the hardware key-fob two-factor systems such as RSA SecurID depend on secret algorithms, and employ tamper-resistant hardware to prevent reverse engineering.

Is there some mathematical fact that prevents a system like SecurID from operating with open-source software (including the server and token algorithms, hardware token provisioning server) and hardware?

I would assume that, in the past, power requirements prevented the use of public-key algorithms in these little tokens. If it were designed today, would it be feasible to use that sort of approach in long-lived portable hardware tokens?

Explanation / Answer

In addition, the token should probably have a couple of extra requirements: it should have a PIN pad for the user to enter something they know, (which would simply modify the output, and not try to unlock it,) and yet it should have no electrical interfaces that would enable tampering. The keyboard should be as isolated as possible from the CPU. Finally, the finished token must be small and light enough to fit in a pocket, wallet, or keychain.

Once you get all those pieces together, the algorithm you choose needs to be secure while fitting all the requirements. Plus, you have stated it must be open source. There is little reason to select a public key algorithm, as they are power hungry and your battery is very finite. As your security must rest on your secret embedded key remaining secret, the tamper resistance must be very strong. That also implies that each token receives a unique random secret key, with each token unrelated to the next. This unique key should be held by the manufacturer and transferred to the system owner.

And then, you get to build the server side. It has to be fast enough to handle anywhere from dozens of user requests up to thousands. It has to be secure against tampering, yet the interface must be simple to use by authorized people. It has to store thousands or millions of user records.

An open Source funded effort is going to take a lot of monitoring and work. Designing it is the easy part compared to implementing it.

Related Questions

As district manager part of your responsibility is to identify reasons for chang
Question #2929063
As district manager part of your responsibility is to identify reasons for chang
Question #3231387
As district manager part of your responsibility is to identify reasons for chang
Question #3332652
As dogs age, diminished joint and hip health may lead to joint pain and thus red
Question #3022919
As e-commerce continues to grow in the United States and abroad, new consumer pr
Question #442969
As e-commerce entrepreneurs, it is important to think about how the future will
Question #368083
As e-commerce entrepreneurs, it is important to think about how the future will
Question #369249
As each atria contracts where does blood move? a) Through an atrioventricular va
Question #3472801

Navigate

Previous
As far as I understand it is a wide-spread opinion within the C++ community that
Next
As far as I understand, it is understood that throughout the universe there exis

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.