On 10/25/07, przemub <przemub@...> wrote:
> --- In securid-users@yahoogroups.com, "runqwe111" <paul@...> wrote:
> > Has anyone reverse engineered it, or have a
> > description of the algorithm sufficient to code one?
>
> some reverse engineering has been made - here is source code:
> http://seclists.org/lists/bugtraq/2000/Dec/0459.html

The code from 2000 is for the old style tokens,
does not apply to the new AES algorithm.

That the only attacks directly effective against user authentication
with SecurID have been related to the "soft" tokens is a big part of
the reason I am very reluctant to deploy the Windows or Blackberry
versions of the token, and am even suspicious of the USB-connected
SID800.

I'm glad that RSA caters to paranoids by offering a version of the
SID800 where the tokencode generator is *not* visible to the USB
interface:
http://archives.neohapsis.com/archives/fulldisclosure/2006-09/0246.html


> I work in a company which uses vpn network to connect to clients and i
> would like to work on a Linux desktop, so i need a RSA SecurID
> software token generator for Linux. Please tell me, how did you get
> this to work on wine? I use version 3.0.2.

Have you considered using the SID700 hardware token? No OS dependency.

It'd be amusing to develop an open-source USB driver capable of
fetching the tokencode from the USB-visible variant of the SID800.
Anybody with time to devote to this project, and willing to
BSD-license your code, please contact me off-list.


Kevin