RSA SecurID Teardown

I did a teardown of an RSA SecurID many years ago (you can see that post here). In that teardown, it was an older generation (SD600) of the RSA SecurID. In this post, let’s take a look at what’s inside the newer SID700 series RSA SecurID token. A short video of the teardown is included towards the end.

RSASecurID

These RSA SecurID tokens basically are just pseudo-random number generators. Each token displays a random number from the sequence predetermined by the seed value and the algorithm every minute. During authentication, the user selected passcode (typically chosen when the SecurID was initially assigned) concatenated with the random number displayed at the time being forms the password, which is used to authenticate to the server. Because the clock on the SecurID token and that on the server are independent, the cumulative effect of clock drift would result in the number generated from the token to be out of sequence compared to the number generated on the server. Thus the server side employees some kind of algorithm to periodically adjust the actual pseduo-random number generated based on the actual number presented from the SecurID.

These devices were designed to be tamper-proof so dissembling was pretty difficult. The newer version of the SecurID was nevertheless slightly easier to take apart compared to the old version. Here is a picture of the SecurID after it was removed from the casing.

RSASecurID2

And here is a picture after the LCD was removed. Like the previous generation, this SecurID also relies on the chip-on-board design. Besides the main chip the only external components are a clock crystal (used for the real-time clock) and a few capacitors.

RSASecurID1

Here is a short video of this teardown:

Be Sociable, Share!

Leave a Reply