0:04

Hi, folks. Ed Amoroso here.

And in this video, we're going to have some fun now with the SecurID Protocol.

Remember in the last video,

I showed you the different steps,

stored secret of both the client and the server,

same function keeping track,

every 15 seconds or so,

we're doing a repeated encryption of the seed to the point where at any given time,

a number of ticks would be going off,

I'm able to go in at any given round,

and provide back what I say and it should match server.

See, it's a very cool concept.

Let's think about now what Alice sees in all of this.

Alice is going to see, from the server,

just a request to prove that you are Alice.

No seed, no integer.

So I say, "I'm Alice."

"Prove it." And then what do I provide?

f to the n of lambda,

where n is the number of ticks.

That's interesting. So, Eve just writes down f to the n of lambda.

Then you do your work,

you log off, you come back some time later.

They say, "Hey, I'm Alice."

And Bob goes, "Okay, prove it."

Now you're going to provide whatever the f to the n of lambda is at that instant,

and n is going to be further along.

We compute n as the time current minus

time initial divided by the interval and that's the number of ticks.

We sort of introduced that notion in the last video,

but I just want to make sure you're clear that f to the n of lambda is the number of

times you're encrypting if the interval is what it is.

And 15 seconds seems like a perfectly reasonable presumption.

So, Eve collects a series of ciphertext answers without the corresponding plaintext hint.

Now, we've said before, what's cryptanalysis?

It's either ciphertext only, known plaintext, codebook.

Which of the three is this?

Are there any hints here?

So what is this? Ciphertext only,

which is stronger than known plaintext.

I think it's kind of funny, a lot of those cryptographers will say,

"That's why SecurID is so powerful, so used.

And Ed, that's why you have a picture in your office with you shaking hands so happily."

And they sold billions because it vindicates the fact that having stronger cryptography,

making it more difficult for cryptanalysis to be done,

that's the business success factor.

But it doesn't explain passwords, right?

If passwords are popular,

then how do you figure because that's the weakest thing on the planet.

I think it's more,

let's just hit the market at the right time.

People liked it. You didn't have to type anything and just read an answer.

So I think ergonomically,

it was much more interesting and easy and

just the logistics of doing it seem to make more sense.

One thing that I think it's funny is you might be wondering,

when does this all end?

Does the thing just go on forever?

It goes on until the license you paid for runs out.

So, you pay through your license.

That thing is running for 36 months and when you're at

36 months and one second, boom it's stopping.

And I think that's perfectly reasonable thing because that's what you paid for.

But I think it's just a fun,

interesting protocol and it's nice to kind of compare and

contrast the handheld authenticator to RSA SecurID.

They're so darn similar.

Fundamentally different financial values and usages associated with the two.

One is stronger in terms of cryptographic strength,

clearly, but both have weaknesses in zone one and zone three.

I mean in this one, you just, again,

you beat up your roommate and take their token and you

can authenticate using their token as them.

That's the easiest way to break this scheme, still zone one.

So, we had that problem. Now just to test our understanding of SecurID,

let's do a little quiz.

I think the answer, if you think about that a little bit,

multiple challenges, challenge response, no plaintext.

It's C, right?

There is no plaintext query here.

That's the strength of the SecurID protocol.

The fact that there's no plaintext makes

this a ciphertext-only cryptanalytic situation

and certainly makes the cryptographers happy.

And I think it should make you happy as well if you use one of these things.

It's not going to be easy for Eve to go in.

Collect your responses and do some cryptanalysis.

That's going to be very difficult.

So, we will see you on our next video. I'll see you later.