Tuesday, October 16, 2007

How RSA tokens work

First post in a series (hopefully) related to general computer security.

When I first started my current many years ago I was issued of these keyfob thingies which displayed a 6 digit number that changed every minute. I just blindly accepted that it did some complex random number generation that allowed me to log in to systems securely.

Here's how it works (paraphrased from this).

The token is a completely standalone unit. It does not have any sort of connection to any other electronic device.

Each token contains a clock chip and a unique seed number, which I assume is displayed on the back of the token.

Every minute, the combination of the current time and the unique seed number as input of the algorithm and produces the six digit number you see on the token (I have no information on the algorithm itself).

The server performing the authentication (known as an ACE Server) knows your unique seed number, the algorithm being used, and the time. With this information, it performs the same function on the server. It receives your code and compares it to the code it computes. If the codes match you are authenticated.

Edit:
I found a more detailed breakdown after the original post is here:

All versions of the SecurID use RSA's patented
technology to synchronize the use of Current Time in a SecurID token and
its remote authentication server, what RSA calls the
ACE/Server. (Typically, as you know, the link between the token-holder and
the ACE/Server is through an intermediary -- an ACE/Agent or RADIUS agent
-- which intercepts an authentication call and relays it to the ACE/Server
for processing.)

The classic SecurID, for 15 years, used a proprietary algorithm to
hash a token-specific 64-bit seed and Current Time. The new SecurID --
introduced at the beginning of 2003 -- uses the AES block cipher, in
standard ECB mode, to hash:

- a 128-bit token-specific true-random seed,
- a 64-bit standard ISO representation of Current Time
(yr/mo/day/hour/min/second),
- a 32-bit token-specific salt (the serial number of the token), and
- another 32 bits of padding, which can be adapted for new functions or
additional defensive layers in the future.

Conflated and hashed by the AES, these inputs generate the series
of 6-8 digit (or alphanumeric) token-codes that are continuous displayed on
the SecurID's LCD, rolling over every 60 seconds. (The standard mode of
use, as you know, requires two-factor authentication: the token-holder is
required to provide both a SecurID token-code and a user-memorized PIN to
the remote ACE/Server.)

ECB mode in AES is executed on 128-bit blocks, of course, so it is
obvious that RSA had to pad the standard 64-bit expression of Current Time
with another 64 bits. Using a token-specific salt blocks any attempt to
pre-calculate a library of possible token-codes for all 128-bit seeds. That
means that any brute-force attack on the AES SecurIDs would have be focused
on a particular token.

Sunday, October 14, 2007

Gold Digger Pwned

I know everyone has probably linked to this craislist listing and there's a good reason for it... It rules.

What am I doing wrong?

Okay, I'm tired of beating around the bush. I'm a beautiful (spectacularly beautiful) 25 year old girl. I'm articulate and classy. I'm not from New York. I'm looking to get married to a guy who makes at least half a million a year. I know how that sounds, but keep in mind that a million a year is middle class in New York City, so I don't think I'm overreaching at all.

Are there any guys who make 500K or more on this board? Any wives? Could you send me some tips? I dated a business man who makes average around 200 - 250. But that's where I seem to hit a roadblock. 250,000 won't get me to central park west. I know a woman in my yoga class who was married to an investment banker and lives in Tribeca, and she's not as pretty as I am, nor is she a great genius. So what is she doing right? How do I get to her level?

Here are my questions specifically:
- Where do you single rich men hang out? Give me specifics- bars, restaurants, gyms
-What are you looking for in a mate? Be honest guys, you won't hurt my feelings
-Is there an age range I should be targeting (I'm 25)?
- Why are some of the women living lavish lifestyles on the upper east side so plain? I've seen really 'plain jane' boring types who have nothing to offer married to incredibly wealthy guys. I've seen drop dead gorgeous girls in singles bars in the east village. What's the story
there?
- Jobs I should look out for? Everyone knows - lawyer, investment banker, doctor. How much do those guys really make? And where do they hang out? Where do the hedge fund guys hang out?
- How you decide marriage vs. just a girlfriend? I am looking for MARRIAGE ONLY
Please hold your insults - I'm putting myself out there in an honest way. Most beautiful women are superficial; at least I'm being up front about it. I wouldn't be searching for these kind of guys if I wasn't able to match them - in looks, culture, sophistication, and keeping a
nice home and hearth.

it's NOT ok to contact this poster with services or other commercial interests
PostingID: 432279810

THE ANSWER
Dear Pers-431649184:

I read your posting with great interest and have thought meaningfully about your dilemma. I offer the following analysis of your predicament.

Firstly, I'm not wasting your time, I qualify as a guy who fits your bill; that is I make more than $500K per year. That said here's how I see it.

Your offer, from the prospective of a guy like me, is plain and simple a crappy business deal. Here's why. Cutting through all the B.S., what you suggest is a simple trade: you bring your looks to the party and I bring my money. Fine, simple. But here's the rub, your looks will fade and my money will likely continue into perpetuity...in fact, it is very likely that my income increases but it is an absolute certainty that you won't be getting any more beautiful!

So, in economic terms you are a depreciating asset and I am an earning asset. Not only are you a depreciating asset, your depreciation accelerates! Let me explain, you're 25 now and will likely stay pretty hot for the next 5 years, but less so each year. Then the fade begins in earnest. By 35 stick a fork in you!

So in Wall Street terms, we would call you a trading position, not a buy and hold...hence the rub...marriage. It doesn't make good business sense to "buy you" (which is what you're asking) so I'd rather lease. In case you think I'm being cruel, I would say the following. If my money were to go away, so would you, so when your beauty fades I need an out. It's as simple as that. So a deal that makes sense is dating, not marriage.

Separately, I was taught early in my career about efficient markets. So, I wonder why a girl as "articulate, classy and spectacularly beautiful" as you has been unable to find your sugar daddy. I find it hard to believe that if you are as gorgeous as you say you are that the $500K hasn't found you, if not only for a tryout. By the way, you could always find a way to make your own money and then we wouldn't need to have this difficult conversation.

With all that said, I must say you're going about it the right way. Classic "pump and dump."

I hope this is helpful, and if you want to enter into some sort of lease, let me know.

Monday, October 01, 2007

NFS - Topic #1

Topic #1

1) On the server, the port mapper starts (usually by the server upon boot).
2) On the server, the mountd (sometimes known as rpc.mountd) starts and open one ephemeral TCP port and one UDP port. It registers these newly opened ports to the port mapper.
3) On the client, the mount command issues an RPC call to the port mapper on the server to obtain the port number for the mountd daemon.
4) The server replies back with the port number.
5) On the client, the mount command issues an RPC call to the mount daemon to mount a filesystem on the server. This is where validation happens.
6) On the server, the mount daemon replies with the file handle for the given filesystem.
7) On the client, the mount command issues the mount system call to associate the file handle to the mount point on the client.

- The NFS server privides 15 procedures in the form of procedure calls.

- TCP or UDP capability

One Skill A Day

I'm going to try something new to beef up my arsenal of skills before I start looking for a new job. Each day I'm going to learn one new tech skill. The topics will not follow any particular pattern or will not stick to one technical area. Rather, I'll probably jump around between disparate topics. That'll prevent me from getting bored.

In this blog I will type out a brief synopsis of what I learned in addition to key concepts. Some topics will obviously take more than one day to even learn the basics.

If I miss a day I'll will learn two things the next day.

Here are a few topics I want to brush up on:

1) NFS
2) XEN
3) VxFS
4) Performance Tuning
5) IP Subnetting
6) DB queries
7) Basic Oracle Admin
8) netstat usage