?
Solved

RSA tokencode timeout

Posted on 2011-03-04
5
Medium Priority
?
1,570 Views
Last Modified: 2012-05-11
We have an RSA SecurID appliance and we utilize the tokens that display the tokencode for 60 seconds.  I was shocked to recently learn that the tokencodes are actually valid for 3 minutes.  I had always assumed that once the tokencode had lapsed 60 seconds, then the server would no longer recognize it either.  That's incorrect.  Since that's the case, I guess I don't understand why the tokens don't just present the tokencode for 3 minutes.

My question is this:  Does anyone know if it's possible to configure the RSA SecurID server to only recognize the tokencodes during the 60 seconds that the codes are presented on the token?

We logged a case with RSA and the technician said it can't be adjusted.  I'm not certain if that was an official statement from RSA or just the opinion from the technician of the day.  I attended a security conference in which one of the speakers pointed out that in some cases the RSA timeout could be as high as 10 minutes and his recommendation was to decrease that.  So now I'm not certain if the speaker didn't have his facts straight or the RSA technician didn't have his facts straight.

Anyone had any experience with this?  Anyone else shocked that the tokencodes are valid long after they're no longer displayed on the token??
0
Comment
Question by:SBSIAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 8

Accepted Solution

by:
jako earned 100 total points
ID: 35042972
The interval is set longer than the actual display to allow some of the inevitable clock shift. This is by design, because it would not be feasible nor profitable to build timekeeping electronics as accurate as you would like inside the relatively cheap piece of hardware what the token really represents.
0
 

Author Closing Comment

by:SBSIAdmin
ID: 35073061
I think the one response I received made sense, but I was hoping someone would have some additional detail as to whether or not this particular setting can be adjusted.
0
 
LVL 8

Expert Comment

by:jako
ID: 35073300
C? O RLY? Let's review:
"someone" - could it be "RSA technician" in the OP?
"whether" = "can't" -> thus it is hardcoded.

You were not looking for the answer you said in the closing post. I think you came here for encouragement to disassemble. Well, you do have the binaries running in your RSA server. If you're feeling lucky or play the disassembler game regularly at "impossible" level, you could seek the hardcoded value which could be delta (half the interval) or absolute (full interval). If you find the value through cognitive skills, trial or sheer luck, please feel free to post your results :)
0
 
LVL 8

Expert Comment

by:jako
ID: 35073342
Also, be prepared to swap a lot of the tokens :P
0
 

Author Comment

by:SBSIAdmin
ID: 35073516
I try not to read between the lines of one dimensional text, but I'm definitely sensing attitude and I'm not certain where it's coming from.  I feel as though you're the creator of RSA SecurID and somehow I've offended you.

My original question was this:
Does anyone know if it's possible to configure the RSA SecurID server to only recognize the tokencodes during the 60 seconds that the codes are presented on the token?

My closing post said "I was hoping someone would have some additional detail as to whether or not this particular setting can be adjusted".

So I'm unclear as to why you would suggest that I wasn't looking for this answer.  From my perspective, my original and closing posts were clear and consistent.  I was trying to determine if this parameter was customizable or not.

I certainly didn't post this question on EE looking for "encouragement to dissassemble".  Thank you for your vote of confidence, but I'm definitely not that much of a bit-head.  I like to stay within the constraints of the application as designed by the vendor.  As I indicated in my original post, I attended a security conference in which one of the speakers recommended closing the gap during which RSA tokencodes are valid.  I was simply trying to determine if the speaker was misguided, or can those values really be set.

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question