Security Experts: RSA Lacks Technical Openness

By Ericka Chickowski  |  Print this article Print

RSA channel partners are concerned about the lack of details from RSA following a security breach of its authentication SecurID product which is used by a range of organizations including banks and highly sensitive government entities.

Some security experts believe that aside from the breach, part of the issue has to do with the lack of technical openness that RSA has fostered with this set of authentication products. They used the breach as an opportunity to take a jab at RSA for not offering the security community with more details about the workings of SecurID in the first place.

"RSA broke a cardinal rule in the non-disclosure of their one-time authentication system; the fundamental crux of any security method or algorithm is wide publication and dissemination of the underpinning method used for purposes of peer review," says Gregory Perry, CEO of training firm GoVirtual, a former security firm executive and an open-source advocate. "RSA is not new to this concept, their RSA encryption algorithm and related method of implementation is the de facto standard for public key encryption in use on the Internet today, but for some reason they chose to adopt a mindset of 'security through obscurity' with their RSA SecurID method - which many industry veterans viewed with suspicion over the years and which raised the specter of a backdoor within the SecurID OTP authentication framework."

Christian Hessler, CTO of authentication firm LiveEnsure, agreed that the opacity of the RSA solution works to its disadvantage.

"The breach at RSA just goes to show that security by obscurity never works. It's a fundamental principle in security called Kerckhoff's principle - you must assume your enemy has the details of your system. If your authentication relies on some level of operational system 'secrecy' to work, it is just a matter of when, not if, the system will be compromised," Hessler says. "The problem with traditional shared secret tokens, outside of cost, deployment and custody issues, is that they do nothing to establish context of the mutual authentication. They are merely additional layers of 'secret passwords,' regardless of how those factors are generated or delivered."