My "SecurID" random number generating PC access code device

NOTE: I am not trying to break the law or figure out how to hack my employer’s computer network. I’m just curious about how these devices work.

I have a laptop issued by my employer. To dial in remotely, I have to enter, among other things, a 6 digit number which appears in an LCD display, on a little locketlike device that I carry with my badge. This number changes every 60 seconds, and I have to enter the number that’s currently being displayed, or I can’t get in.

Now here’s my question. The generation of the number appears to be random, so when I key it at login time, how does my employer’s network, or even my PC, “know” what the correct number is? It implies that the number I’m entering must be recognized by the network, but how is that possible? There can’t be two separate random number devices running in parallel, can there?

The SecurID cards are synchronized with your company’s authentication server before they’re given to you. The SecurID software takes care of this. I’m not sure if the set of numbers is predetermined and loaded onto the card, or if the key generator uses the elapsed time as a factor in the calculation, but it’s something like that.

The link below explains one scheme. There are others, but they’re all based on the current time and a shared secret. Your locket has a code it shares with the server and a clock. It uses both to seed an algorithm to generate a number. The server has the same code and a clock so it can generate the same number. The server can check the current number as well as the last few and next few to allow for some drift in the two clocks.

The numbers it generates are not random. They are the result of a calculation based on a server ID code and the current time so the server can perform the same calculation as the locket. The actual algorithm would be more like a hash (e.g. SHA-1) than a random number generator.

At a former employer, we had our Authentication server get out of sync with our SecurID cards. No one could get it. Lots of fun to fix, too.

Just curious, Javaman, where do you work? Or would that be telling?

Lots of places use the securIDs.

I have one in front of me as I type. I thought my range of numbers was stored on it. Am I wrong?


I had one at my last job…when I had a job…

The password is probably based on a pseudo-random number sequence. Both your server at work and your badge contain digital clocks which are synchronized (or at least accurate to within 30 seconds of each other).

Pseudo random number sequences are based on a “seed” number. Depending on the algorithim used, the sequence of ‘random’ numbers created by these algorithims usually ends up repeating exactly after a certain point in the series (after 32767 or 65535 numbers) So they’re not really random and you wouldn’t want them to be for this particular application.

In this case, I assume the digital clock is providing that seed number. The algorithim used to generate this ‘random’ number is the same both at work and on your badge, so as long as the clocks stay synchronized, they should produce the same number.