By: Shoornomy

Shoornomy — Sat, 25 Jul 2009 01:50:14 +0000

oh my god. hehe

By: Adam

Adam — Sat, 11 Jul 2009 12:11:12 +0000

Thanks for the added history, Vin! I suspect I remembered John as the inventor because I’ve interacted with him a lot more. Thanks so much for the additions and corrections.
Next time I’m in Boston, the 4 of us should get together and wander a bit. :)
(You’ll need to whitelist me–I’d mailed a draft of this to you & John a ways back, and assume it hit your spamfilter. I’d say that in private but… )

By: Vin McLellan

Vin McLellan — Sat, 11 Jul 2009 00:17:05 +0000

Hi Adam,
Fun as always to read Emergent Chaos!
You’ve got so much of the rest of the early SecurID story right that I’m surprised that you, in error, attribute the invention of the time-synched SecurID to someone other than Ken Weiss: the holder of the SecurID patent, and the founder of Security Dynamics (corporate predecessor to RSA Security, now a division of EMC.)
Ken is a one-time psychology professor who got intrigued with computers in the ’70s and launched himself as a software industry entrepreneur.
John Brainard, today still on the staff of the CTO at RSA — to whom you mistakenly give credit for the invention of the SecurID — would be the first to appropriately credit Weiss, an ingenious and wonderfully eccentric character who is today still filing patents, mulling VC opportunities, and sailing the world.
In 1980, Weiss hired John Brainard as a programmer at Contax Systems, Weiss’ Boston-based company which developed geo-aware software to help the transport industry more efficiently dispatch and route vehicles. Contax sold to taxi and trucking companies, messenger services, even police departments.
Physical guard services — like police departments — historically have had a problem validating an employee’s claim of where he was at any given time. Watchclocks — as you noted, Adam — were a popular solution to this problem. A guard carried a spring-clock device which had to be routinely “wound” with one of numerous keys chained to specific locations on the premises. This system provided a timestamp for the guard’s presence at each location on his route.
The subtext for your comments about time-synched SecurID, in its several successive generations, is that there is no such thing as perfect security. Challenges arise which must be met. So it was with Watchclocks. By the 1980s there was a thriving underground in which organized crime, among others, sold huge collections of Watchclock keys. It was a big enough problem that it emerged as an opportunity for Weiss et al.
As an alternative to the Watchclock, Weiss developed a guard tour system which used Lucite boxes, securely attached at various stations on the guard’s prescribed route, which displayed a hard-to-predict PRN. The wandering guard was required to type in the PRN, on his Motorola radio keypad, as he passed each location — which allowed a central CPU to track who was where, when. Contax’s first big sale, in ’83, was to the Federal Services Administration, which bought the system for some of the 9,000 federal buildings it administered and protected.
Subsequently — and in the lore of RSA, famously — there followed a Friday evening phone call to Weiss from the Director of the Federal Protective Service in which he reported DoD interest in the new technology. Would it be possible, he asked, to have individuals carry tiny PRN calculators which could be used to unlock high-security doors in the Pentagon? Weiss said it probably would be possible, but added that he thought there might be other ways to better provide that service. He asked for time to think about the possibilities.
That Friday night, Weiss had his Eureka moment. It all came together! He could, he said, completely picture a time-synched PRN generator (with a secret seed) which — with the addition of a password — could provide two-factor authentication to identify an authorized individual to a remote computer equipped a similar device: what came to be called an authentication server.
The next morning, Weiss tracked down a young Boston patent attorney, Larry Oliverio, who was working in his office on a Saturday morning. Weiss hired him to begin work immediately on what he declared to be an invention with remarkable potential. The next week, Security Dynamics Inc. (SDI) was incorporated, with IT access control as its target market.
Weiss phased out the Contax business. In late ’84 and ’85, Weiss had Brainard, a one-time student of Ron Rivest, develop and test a proprietary hash — built around Weiss’ original PRN design — to mingle Current Time and a 64-bit random seed for a 4-8 digit PRN output. This, with virtually no changes, became the classic Brainard hash used in millions of SecurID tokens until it (as the Grand Old Lady of commercial crypto) was finally preempted by AES, some 15 years later.
By ’85, SDI was confident of Brainard’s hash and had a working prototype of the SecurID the size of a small cigar box. When they shrunk the design down to the size of a thick credit card, Weiss subcontracted manufacturing to a Hong Kong firm. The first pilot ACE/SecurID systems were sold in 1986, although the first significant installations were not until 1987. (One of the earliest shipments, Adam, was to a huge Boston-based financial institution which for several years offered you gainful employment.)
There were two Challenge/Response token systems already in the market, but they had only limited success. They did, however, have an advantage in that they relied upon DES, the US crypto standard. In the middle and late ’80s, the credibility of any commercial cryptosystem was established not by “open review,” but rather — particularly for US financial systems, government, and DoD contractors, essential markets — by a system of NSA evaluations and formal certification systems.
It wasn’t until March 31, 1987, that the SecurID hand-held authenticator was certified and placed on the NSA/NIST “Evaluated Products” list: approved for US government use, and recommended as cryptographically sound to industry. With that bit of technopolitics by the way, the domestic market for IT access control systems evolved with relatively little government interference. (US export controls here, as elsewhere in IT, was a story in itself.)
In that relatively open market, as you pointed out, Security Dynamics quickly claimed a lion’s share of the enterprise IT market — which it still holds — with an ease-of-use advantage over its C/R compeditors; smart holistic marketing, and a responsible policy of quickly responding to both real and potential threats.
Thanks for the opportunity to wander down memory lane. As Adam knows, but others will not, I have been a consultant to, successively, SDI, RSA, and now EMC, for many years.
_Vin

Comments on: Origins of time-sync passwords

By: Shoornomy

By: Adam

By: Vin McLellan