Shostack + Friends Blog Archive


Origins of time-sync passwords


In “Who Watches the Watchman” there’s an interesting history of watchclocks:

An elegant solution, designed and patented in 1901 by the German engineer A.A. Newman, is called the “watchclock”. It’s an ingenious mechanical device, slung over the shoulder like a canteen and powered by a simple wind-up spring mechanism. It precisely tracks and records a night watchman’s position in both space and time for the duration of every evening. It also generates a detailed, permanent, and verifiable record of each night’s patrol.

The market for these devices was well established when John Brainard Ken Weiss invented the SecurID token. In fact, either John or Vin McLellan told me that the reason Security Dynamics built a time-based system was so that it could play in the wandering guard market. The guard needed the SecurID to write a code in a book, and with that, you could determine when he was at a given watch station. Only later did they discover that their device had value for information security. [Update: Vin corrects some of my historical details in the comments.]

Security Dynamics did an impressively good job of building a complete system, and an ecosystem for their devices, but creating plug-in authentication modules for all sorts of things. Frankly, their security wasn’t really great in any theoretical sense. There were relatively obvious flaws like Mudge’s ‘listen and guess’ attack on the last digit being sent over a cleartext channel. His “Vulnerabilities in OTP’s – SecurID and S/key” was presented at DefCon IV, but I can’t find a copy of the paper. There were more difficult to find flaws as I pointed out in my “Apparent Weaknesses in the Security Dynamics Client Server Protocol“. Later Biryukov, Lano and Preneel presented “ Cryptanalysis of the Alleged SecurID Hash Function.”

What John, and later Art Covellio understood far better than Mudge or I understood at the time was that the security didn’t really matter all that much. The system and its components needed a baseline of security, and they invested in that, and beyond. They had their system reviewed by top outside experts. They needed to be able to handle the baseline questions about someone tampering with the card, and the algorithms and protocols were kept secret in accordance with practice at the time. (John told me that I settled a debate between their engineers and marketing when I published them. Had I known that, I would have included the hash function in my paper, but on advice of counsel I’d removed it. He called it “waving a red flag in front of Security Dynamics just because you can.”)

What did matter was that their customers were doing better than static passwords, and they mostly delivered, unless Bart Preneel or I was your adversary.

Security Dynamics also won on the usability of the system, relative to other tokens. Some alternatives, implemented challenge/response systems. To use them, you needed to enter a challenge, then press enter, your PIN and then enter, and then type in the response. All prompts and errors were in an 8 character LCD display. It was hard to deploy to real people.

Another advantage that Security Dynamics delivered was integration into everything. They had a server of their own. Clients to replace /bin/login on a dozen unixes, Netware and a GINA plugin for Windows. Radius and TACACS integration. They made themselves the easiest system to actually deploy. That’s important. A system with much greater security and double the cost of deployment would have been hard to justify.

Anyway, Security Dynamics was a good enough business that when they went to get an RSA license, it turned out to be “easier to buy the company than to get a license.” (As Art Covellio says in this Hearsay podcast with Dennis Fisher.)

And at the end of the day, developing products that people can actually understand and deploy for their protection and risk management is what it’s about. Knowing where to start innovating is a key part of that.

3 comments on "Origins of time-sync passwords"

  • Vin McLellan says:

    Hi Adam,
    Fun as always to read Emergent Chaos!
    You’ve got so much of the rest of the early SecurID story right that I’m surprised that you, in error, attribute the invention of the time-synched SecurID to someone other than Ken Weiss: the holder of the SecurID patent, and the founder of Security Dynamics (corporate predecessor to RSA Security, now a division of EMC.)
    Ken is a one-time psychology professor who got intrigued with computers in the ’70s and launched himself as a software industry entrepreneur.
    John Brainard, today still on the staff of the CTO at RSA — to whom you mistakenly give credit for the invention of the SecurID — would be the first to appropriately credit Weiss, an ingenious and wonderfully eccentric character who is today still filing patents, mulling VC opportunities, and sailing the world.
    In 1980, Weiss hired John Brainard as a programmer at Contax Systems, Weiss’ Boston-based company which developed geo-aware software to help the transport industry more efficiently dispatch and route vehicles. Contax sold to taxi and trucking companies, messenger services, even police departments.
    Physical guard services — like police departments — historically have had a problem validating an employee’s claim of where he was at any given time. Watchclocks — as you noted, Adam — were a popular solution to this problem. A guard carried a spring-clock device which had to be routinely “wound” with one of numerous keys chained to specific locations on the premises. This system provided a timestamp for the guard’s presence at each location on his route.
    The subtext for your comments about time-synched SecurID, in its several successive generations, is that there is no such thing as perfect security. Challenges arise which must be met. So it was with Watchclocks. By the 1980s there was a thriving underground in which organized crime, among others, sold huge collections of Watchclock keys. It was a big enough problem that it emerged as an opportunity for Weiss et al.
    As an alternative to the Watchclock, Weiss developed a guard tour system which used Lucite boxes, securely attached at various stations on the guard’s prescribed route, which displayed a hard-to-predict PRN. The wandering guard was required to type in the PRN, on his Motorola radio keypad, as he passed each location — which allowed a central CPU to track who was where, when. Contax’s first big sale, in ’83, was to the Federal Services Administration, which bought the system for some of the 9,000 federal buildings it administered and protected.
    Subsequently — and in the lore of RSA, famously — there followed a Friday evening phone call to Weiss from the Director of the Federal Protective Service in which he reported DoD interest in the new technology. Would it be possible, he asked, to have individuals carry tiny PRN calculators which could be used to unlock high-security doors in the Pentagon? Weiss said it probably would be possible, but added that he thought there might be other ways to better provide that service. He asked for time to think about the possibilities.
    That Friday night, Weiss had his Eureka moment. It all came together! He could, he said, completely picture a time-synched PRN generator (with a secret seed) which — with the addition of a password — could provide two-factor authentication to identify an authorized individual to a remote computer equipped a similar device: what came to be called an authentication server.
    The next morning, Weiss tracked down a young Boston patent attorney, Larry Oliverio, who was working in his office on a Saturday morning. Weiss hired him to begin work immediately on what he declared to be an invention with remarkable potential. The next week, Security Dynamics Inc. (SDI) was incorporated, with IT access control as its target market.
    Weiss phased out the Contax business. In late ’84 and ’85, Weiss had Brainard, a one-time student of Ron Rivest, develop and test a proprietary hash — built around Weiss’ original PRN design — to mingle Current Time and a 64-bit random seed for a 4-8 digit PRN output. This, with virtually no changes, became the classic Brainard hash used in millions of SecurID tokens until it (as the Grand Old Lady of commercial crypto) was finally preempted by AES, some 15 years later.
    By ’85, SDI was confident of Brainard’s hash and had a working prototype of the SecurID the size of a small cigar box. When they shrunk the design down to the size of a thick credit card, Weiss subcontracted manufacturing to a Hong Kong firm. The first pilot ACE/SecurID systems were sold in 1986, although the first significant installations were not until 1987. (One of the earliest shipments, Adam, was to a huge Boston-based financial institution which for several years offered you gainful employment.)
    There were two Challenge/Response token systems already in the market, but they had only limited success. They did, however, have an advantage in that they relied upon DES, the US crypto standard. In the middle and late ’80s, the credibility of any commercial cryptosystem was established not by “open review,” but rather — particularly for US financial systems, government, and DoD contractors, essential markets — by a system of NSA evaluations and formal certification systems.
    It wasn’t until March 31, 1987, that the SecurID hand-held authenticator was certified and placed on the NSA/NIST “Evaluated Products” list: approved for US government use, and recommended as cryptographically sound to industry. With that bit of technopolitics by the way, the domestic market for IT access control systems evolved with relatively little government interference. (US export controls here, as elsewhere in IT, was a story in itself.)
    In that relatively open market, as you pointed out, Security Dynamics quickly claimed a lion’s share of the enterprise IT market — which it still holds — with an ease-of-use advantage over its C/R compeditors; smart holistic marketing, and a responsible policy of quickly responding to both real and potential threats.
    Thanks for the opportunity to wander down memory lane. As Adam knows, but others will not, I have been a consultant to, successively, SDI, RSA, and now EMC, for many years.

  • Adam says:

    Thanks for the added history, Vin! I suspect I remembered John as the inventor because I’ve interacted with him a lot more. Thanks so much for the additions and corrections.
    Next time I’m in Boston, the 4 of us should get together and wander a bit. 🙂
    (You’ll need to whitelist me–I’d mailed a draft of this to you & John a ways back, and assume it hit your spamfilter. I’d say that in private but… )

  • Shoornomy says:

    oh my god. hehe

Comments are closed.