Transcription
RSA SecurID Software TokenDeployment Planning GuideVersion 4
Contact InformationGo to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm.TrademarksRSA, the RSA Logo, RSA Secured, SecurID, SecurCare, and EMC are either registered trademarks or trademarks of EMCCorporation (“EMC”) in the United States and/or other countries. All other trademarks used herein are the property of theirrespective owners. For the most up-to-date listing of RSA trademarks, go to a.License agreementThis software and the associated documentation are proprietary and confidential to EMC, are furnished under license, andmay be used and copied only in accordance with the terms of such license and with the inclusion of the copyright noticebelow. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to anyother person.No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Anyunauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.Note on encryption technologiesThe referenced product may contain encryption technology. Many countries prohibit or restrict the use, import, or export ofencryption technologies, and current use, import, and export regulations should be followed when using, importing orexporting the referenced product.DistributionUse, copying, and distribution of any EMC software described in this publication requires an applicable software license.DisclaimerEMC does not make any commitment with respect to the software outside of the applicable license agreement.EMC believes the information in this publication is accurate as of its publication date. EMC disclaims any obligation toupdate after the date hereof. The information is subject to update without notice.THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NOREPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THISPUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE.All references to “EMC” shall mean EMC and its direct and indirect wholly-owned subsidiaries, includingRSA Security LLC.Copyright 2011-2014 EMC Corporation. All Rights Reserved.April 2011Revised January 2013, December 2013, June 2014
RSA SecurID Software Token Deployment Planning GuideContentsPreface. 5About This Guide. 5Product Information . 5Related Documentation. 5Support and Service . 6Chapter 1: Overview of RSA SecurID Software Tokens . 7What Is a Software Token? . 7Advantages of Software Tokens . 8Software Token Apps. 8Software Token Seeds and Supported Token Types . 9Token Assignment Limits. 9RSA SecurID PINs. 9Software Token Time Settings. 10Protecting Software Tokens During Provisioning . 10Device Binding . 10Password Protection.11Security Issues with Deploying Software Tokens to Multiple Devices . 12Protecting Software Tokens Installed on the Device . 12Differences in the User Experience with Software Tokens . 13Passcode Authentication (PINPad-Style) . 14Passcode Authentication (Fob-Style). 15Managing the Transition to Software Tokens. 16Setting Up Software Tokens as Replacement Tokens . 16Chapter 2: Deploying Software Token Apps . 17Application Deployment Options . 17Chapter 3: Software Token Provisioning and Delivery . 19Software Token Provisioning. 19File-Based Provisioning. 19Compressed Token Format . 20Dynamic Seed Provisioning. 20RSA SecurID Software Token Converter . 21Administrator-Driven and Self-Service Provisioning Models. 21Administrator-Driven Provisioning with RSA Authentication Manager . 22Provisioning Tasks. 22Self-Service Provisioning . 23RSA Self-Service . 23RSA Credential Manager. 24RSA Authentication Deployment Manager . 24Delivering Software Tokens . 24Delivery Options for File-Based Tokens, Custom CTF URLs, and QR Codes . 243
RSA SecurID Software Token Deployment Planning GuideDelivery Options for Dynamically Provisioned Tokens. 26RSA Authentication Manager Prime Deployment Tools . 27AM Prime Self-Service Portal . 27RSA Authentication Manager Bulk Administration. 27Redistributing Software Tokens. 28Redistributing a Software Token to a New Device . 28Redistributing a Software Token to a Wiped Device . 28Redistributing a Software Token to the Same Device . 29Managing Software Token Expiration . 29Chapter 4: Sample Software Token Deployment Scenarios. 31Enterprise Managed Windows PCs with Automatic CT-KIP. 31Tasks for Automating a CT-KIP Import. 32Configure Automatic CT-KIP Import. 32Enterprise-Managed Windows PCs with Token Files . 33Tasks for Including Token Files in the Deployment Package . 33Android, BlackBerry 10, iOS, and Windows Phone Devices with CT-KIP. 34Tasks for CT-KIP Provisioning . 34Construct a Custom CT-KIP URL. 35Android, BlackBerry 10, iOS, and Windows Phone Devices with Token Files or CTF . 37Tasks for File-Based Provisioning. 37Token Delivery Options. 37Mixed Deployments. 38Android, BlackBerry 10, iOS, and Windows Phone Devices with Self-Service. 39Provisioning Tasks in RSA Self-Service . 39Provisioning Tasks in RSA Credential Manager . 40Provisioning Tasks in RSA Authentication Deployment Manager . 40Appendix A: Additional Provisioning Information . 41Supported Device Binding Attributes . 41Number of Tokens Supported Per App. 42Activation Code Information . 43Token Expiration Information . 444
RSA SecurID Software Token Deployment Planning GuidePrefaceAbout This GuideThis guide describes how to plan an RSA SecurID software token deployment in anenterprise environment. This guide is intended for customers who are consideringadding software tokens to their current RSA SecurID product deployment or whowant to replace their hardware tokens with software tokens.Product InformationFor more information about RSA SecurID software token product offerings, andassociated documentation, go to d DocumentationSecured by RSA Certified Partner Solutions directory. RSA has worked with anumber of manufacturers to qualify products that work with RSA products. Qualifiedthird-party products include virtual private network (VPN) and remote access servers(RAS), routers, web servers, and many more. To access the directory, go a?view overview.RSA Authentication Manager 8.x Administrator’s Guide. Provides informationabout how to administer users and security policies in RSA AuthenticationManager 8.x.RSA Authentication Manager 7.1 Administrator’s Guide. Provides informationabout how to administer users and security policies in RSA AuthenticationManager 7.1.RSA Security Console Help. Describes day-to-day administration tasks performed inthe RSA Security Console interface used with RSA Authentication Manager 8.x orRSA Authentication Manager 7.1. To view Help, click the Help tab in the SecurityConsole.RSA Authentication Manager 6.1 Administrator's Guide. Provides informationabout how to administer users and security policy in RSA AuthenticationManager 6.1.Database Administration Application Help. Describes day-to-day administrationtasks performed in the Database Administration application used withRSA Authentication Manager 6.1.RSA SecurID Authentication Engine 2.8.1 for Java Developer’s Guide. Explainshow to use the Java API to integrate RSA SecurID authentication features into anexisting server application. The Developer’s Guide is available from RSA SecurCareOnline. Go to https://knowledge.rsasecurity.com.Preface5
RSA SecurID Software Token Deployment Planning GuideRSA SecurID Software Token Best Practices Guide. Describes best practicesdesigned to ensure the secure operation of RSA SecurID software token products.This guide is available from RSA SecurCare Online. Go tohttps://knowledge.rsasecurity.com.RSA SecurID Software Token Converter. The Token Converter is a command lineutility for converting individual RSA SecurID software token files into alternativedelivery formats, including custom compressed token format (CTF) URLs and QRCodes. To download the Token Converter, go rid-software-authenticators/converter.htm.Support and ServiceRSA SecurCare Onlinehttps://knowledge.rsasecurity.comCustomer Support Informationwww.emc.com/support/rsa/index.htmRSA Solution ce/rsa?view overviewRSA SecurCare Online offers a knowledgebase that contains answers to commonquestions and solutions to known problems. It also offers information on new releases,important technical news and software downloads.6Preface
RSA SecurID Software Token Deployment Planning Guide1Overview of RSA SecurID Software TokensWhat Is a Software Token?Advantages of Software TokensSoftware Token AppsSoftware Token Seeds and Supported Token TypesToken Assignment LimitsRSA SecurID PINsSoftware Token Time SettingsProtecting Software Tokens During ProvisioningProtecting Software Tokens Installed on the DeviceDifferences in the User Experience with Software TokensManaging the Transition to Software TokensWhat Is a Software Token?RSA SecurID software tokens are designed to support the same RSA SecurIDone-time password (OTP) algorithms as RSA SecurID hardware tokens. Softwaretokens consist of two separately installed components, an RSA SecurID softwaretoken app built for the intended device operating system and a unique token seedrecord. Instead of being stored in an RSA SecurID hardware token, the seed(cryptographic key) is stored on the user's smartphone, tablet, desktop, or laptop.Once installed into an RSA SecurID app, a software token generates a 6-digit or8-digit pseudorandom number, or tokencode, at regular intervals. When the tokencodeis combined with a PIN, it is called a passcode. The tokencode or passcode serves asthe OTP. Users enter OTP values, along with other security information, to verify theiridentity when accessing a protected resource. RSA SecurID software tokens areengineered to be compatible with existing RSA Secured applications.1: Overview of RSA SecurID Software Tokens7
RSA SecurID Software Token Deployment Planning GuideAdvantages of Software TokensRSA SecurID software is designed to protect an organization by helping to ensure thatonly authorized users are granted access to protected networked resources. RSASecurID software tokens are engineered to provide the strength of RSA SecurIDtwo-factor authentication combined with increased user convenience and efficientdeployment and recovery.Whether they have a personal smartphone or a corporate-issued laptop, users can useRSA SecurID software tokens on a device they already possess. Software tokens alsoprovide the option of direct integration with enterprise applications through thesoftware token automation API, further enhancing the user experience.Software tokens can help reduce the overall cost of ownership of RSA SecurIDtechnology for the organization in the following ways: Enable rapid electronic deployment to a distributed workforce Can be easily redeployed if users leave the organization Reduce Help Desk costs caused by lost or forgotten tokensSoftware Token AppsRSA SecurID software tokens are designed to be supported on smartphones, desktopsand laptops, and web browsers. For current RSA software token offerings, go rid-software-authenticators.htm.In addition, the RSA Secured Partner Solutions directory provides software tokensolutions for other platforms and technologies, including USB flash drives andbiometric devices. Go tohttps://gallery.emc.com/tags?tags rsa securid ready authenticators.81: Overview of RSA SecurID Software Tokens
RSA SecurID Software Token Deployment Planning GuideSoftware Token Seeds and Supported Token TypesAll RSA SecurID software token apps are engineered to support RSA SecurID 820software token seeds. RSA SecurID 820 seeds can be used with solutions developedand maintained by RSA, as well as with compatible solutions available from RSASecurID Ready Authenticator Partners. Customers can acquire software token seeds invarying lifetimes (from 6 months to 10 years). Software tokens can be deployed tomultiple devices over their lifetime, for example, iOS devices today and Androiddevices tomorrow.RSA SecurID software token apps support 128-bit (AES algorithm) tokens; 64-bit(SID algorithm) tokens are not supported. The apps support time-based tokens only.For more information or to purchase software token seeds, go rid-software-authenticators.htm and click Contact Sales.Token Assignment LimitsYou can assign up to three RSA SecurID tokens to each authorized user, either allsoftware tokens or a combination of hardware and software tokens. Most RSASecurID software token apps support multiple software tokens to allow for users whoneed to log on to multiple domains under different identities. For token limits per app,see “Number of Tokens Supported Per App” on page 42.Important: For security reasons, the token provisioning administrator should neverdeploy the same seed to multiple tokens. Each token should have a unique seed.RSA SecurID PINsRSA SecurID two-factor authentication requires using a personal identificationnumber (PIN) as one of the factors. RSA strongly recommends using PINs withsoftware tokens.RSA Authentication Manager can be configured to require PINs of all the same lengthor to accept PINs that vary in length between 4 and 8 characters. For maximumsecurity, RSA strongly recommends requiring complex, 8-character PINs. For detailson PIN management in RSA Authentication Manager 8.x, see the RSA AuthenticationManager 8.x Security Configuration Guide. For details on PIN management in earlierversions of RSA Authentication Manager, see the RSA Authentication Manager 7.1and 6.1 Security Best Practices Guide.1: Overview of RSA SecurID Software Tokens9
RSA SecurID Software Token Deployment Planning GuideWhen you add users to the RSA Authentication Manager database, you specify foreach user individually whether the user can create the PIN or must accept asystem-generated PIN. For PINPad-style software tokens (the default), the PIN mustbe numeric and cannot begin with a zero. For fob-style software tokens (supportedwith RSA Authentication Manager 8.x and RSA Authentication Manager 7.1), thePIN can be numeric (default) or alphanumeric. To require alphanumeric PINs, theadministrator must configure the token policy in the RSA Security Console(Authentication Policies Token Policies).If you use self-service provisioning, users with a valid Self-Service account can createtheir PINs when requesting a token.Software Token Time SettingsThe RSA SecurID algorithm uses time, expressed as Coordinated Universal Time(UTC or GMT), to calculate the current one-time password (OTP). Software tokensrely on the host device (for example, an iOS device) to provide the correct UTC timevalue. For this reason, the date, time, time zone, and Daylight Saving Time must all beset correctly to ensure that the software token can obtain the correct UTC time value.If possible, devices should be configured to use network time from a trusted timesource, for example a network time protocol (NTP) server. The network time protocolis designed to synchronize the clocks of computers over a network.Protecting Software Tokens During ProvisioningSoftware tokens should be protected during provisioning using device binding. Devicebinding associates a token with a device identifier. You can use device binding with allof the supported token provisioning methods described in Chapter 3, “Software TokenProvisioning and Delivery.”Device BindingTo protect a software token during provisioning, the RSA Authentication Manageradministrator should bind the token to a device class identifier or a device-specificidentifier. You bind tokens during provisioning by setting the DeviceSerialNumberattribute in the RSA Security Console (RSA Authentication Manager 8.x or RSAAuthentication Manager 7.1) or by creating token extension data (RSA AuthenticationManager 6.1).Device Class IdentifierA device class identifier is a globally unique identifier (GUID) associated with aspecific class of devices, for example, iOS devices. RSA provides a specific GUID foreach of its smartphone and desktop/laptop software token apps. This binding optionallows the user to import the token to any device in a class of devices, for example,any device running a supported version of iOS. Binding to the device class preventsthe token from being used on other types of devices running an RSA SecurID softwaretoken app. The GUIDs for the platforms supporting this attribute are listed in“Supported Device Binding Attributes” on page 41.101: Overview of RSA SecurID Software Tokens
RSA SecurID Software Token Deployment Planning GuideDevice-Specific IdentifierA device-specific identifier (device ID or binding ID) is a unique value used to bind atoken to one device in a class of devices. The identifier may come from the devicehardware (BlackBerry 10, Windows Phone), or may be randomly generated for thedevice by RSA (iOS, Android). Device binding provides an increased level ofassurance that a software token can be installed only on the authorized device it isintended for.To use device binding, the administrator must have knowledge of the device-specificidentifier. In most cases, the user can view the device ID in the installed RSA SecurIDapp and email this information to the administrator for device binding.For a list of device-specific binding attributes supported by specific platforms, see“Supported Device Binding Attributes” on page 41.Password ProtectionRSA strongly recommends password protecting token files (SDTID files). All RSAAuthentication Manager products can generate password-protected token files.Additionally, RSA Authentication Manager 8.x can generate password-protectedcustom CTF URLs containing token data.Note: RSA Authentication Manager 7.1 and RSA Authentication Manager 6.1 do notnatively generate custom CTF URLs. If you use one of these provisioning servers, youshould generate an SDTID file and set a token file password. Then use the RSASecurID Software Token Converter to convert the SDTID file to a password-protectedcustom CTF URL. For more information, see “RSA SecurID Software TokenConverter” on page 21.If you use the SAE API for token provisioning, you can specify a password stringwhen exporting a software token to an SDTID file.Assigning a unique token password can help protect against unauthorized usersgaining access to a SDTID file (or to a custom CTF URL) and attempting to importthe token to a different device. However, if the software token does not use devicebinding, the password does not prevent a user who has access to both the token fileand the password from installing the token on multiple devices. For this reason, RSAstrongly recommends using both device binding and password protection.For more information about SDTID files, see “File-Based Provisioning” on page 19.For more information about custom CTF URLs, see “Compressed Token Format” onpage 20.1: Overview of RSA SecurID Software Tokens11
RSA SecurID Software Token Deployment Planning GuideSecurity Issues with Deploying Software Tokens to Multiple DevicesThe software token seed license, RSA Authentication Manager, SAE, and softwaretoken apps do not prevent an administrator from deploying the same software token tomultiple devices. (RSA Authentication Manager does prevent associating a singletoken with more than one user.)RSA strongly discourages deploying the same token to multiple devices for thefollowing reasons: A software token provisioned to multiple devices cannot use device binding.Because the token seed is used to generate one of the factors in two-factorauthentication (something you have: the OTP), it is imperative that the token beused only on the intended device. For this reason, RSA strongly recommendsusing device binding, as described in “Device Binding” on page 10. However, ifthe administrator intends to provision the same software token to multiple devicesowned by the same user (for example, an enterprise iPhone and a home PC), theadministrator cannot use device binding, because different devices use differentbinding attributes. Without the protection of device binding, administrators mustmake sure they employ provisioning processes that prevent unauthorized usersfrom accessing the software token. Software tokens provisioned to multiple devices could experience timesynchronization issues.RSA Authentication Manager maintains information about clock skew for eachsoftware token seed to account for variations in device clock settings. When thesame software token is used on multiple devices, each with its own clock settingsand skew, users may experience problems. If the clock settings on the devicesvary significantly, the user may be challenged to enter the next tokencode, or insome cases may even be blocked from authenticating.Protecting Software Tokens Installed on the DeviceAfter a software token has been imported to a device, it is stored in a token databaseand protected with a set of system attributes. When the software token app needs toopen the token database, it queries the system for the set of attributes used and checksthem for validity. If a user or malware attempts to copy the token database to anotherdevice, the user cannot obtain tokencodes or the software token app appears as thoughit does not have a token. If the user obtains a new device, the software token must bereissued.121: Overview of RSA SecurID Software Tokens
RSA SecurID Software Token Deployment Planning GuideDifferences in the User Experience with Software TokensWhen adding software tokens to your RSA SecurID solution, you should be aware ofdifferences in the user experience between hardware and software tokens.Most RSA SecurID hardware tokens (for example, RSA SecurID 700, shown below)use a key fob form factor.With a key fob, the user reads the current tokencode from the display, then enters anRSA SecurID PIN, followed by the tokencode, into the RSA SecurID protectedresource. For example, the user would enter the PIN, followed by the tokencode, into aVPN client logon screen to protect the VPN session.By contrast, RSA SecurID software tokens (RSA SecurID 820) come configured asPINPad tokens by default. PINPad software tokens behave similarly to PINPadhardware tokens, for example, the RSA SecurID 520, shown below.With a PINPad hardware token, the user enters the PIN on the PIN pad and then entersthe resulting passcode into the RSA SecurID protected resource. With PINPadsoftware tokens, the user enters the PIN into the software token app to generate apasscode. The user then enters the passcode into the RSA SecurID protected resource.RSA SecurID software token apps support both PINPad-style and fob-style softwaretokens. If you want to issue fob-style software tokens, you must useRSA Authentication Manager 8.x, RSA Authentication Manager 7.1, or SAE.Note: RSA Self-Service, RSA Credential Manager, and RSA Authentication Manager6.1 (with RSA Authentication Deployment Manager) do not support fob-stylesoftware tokens.1: Overview of RSA SecurID Software Tokens13
RSA SecurID Software Token Deployment Planning GuidePasscode Authentication (PINPad-Style)The following table shows how a user authenticates to a VPN client with aPINPad-style software token (PIN integrated with tokencode).141Enter the PIN in the RSASecurID app on the device.2View the passcode (PINintegrated with the tokencode).3Enter the passcode in theprotected resource (for example,a VPN).1: Overview of RSA SecurID Software Tokens
RSA SecurID Software Token Deployment Planning GuidePasscode Authentication (Fob-Style)The following table shows how a user authenticates to a VPN client with a fob-stylesoftware token (PIN entered in the protected resource followed by the tokencode).1View the tokencode in the RSASecurID app on the device.2Enter the PIN in the protectedresource (for example, a VPN).The PIN in this example is13248675.3Enter the tokencode to the rightof the PIN in the protectedresource (for example, a VPN).1: Overview of RSA SecurID Software Tokens15
RSA SecurID Software Token Deployment Planning GuideManaging the Transition to Software TokensWhen making the transition to using software tokens, consider: How to manage the replacement of users’ hardware tokens with software tokens. Which users and devices to support in your initial software token rollout.Setting Up Software Tokens as Replacement TokensA convenient way to transition to software tokens is to replace users’ hardware tokenswith software tokens as their hardware tokens expire. You can also provision softwaretokens as needed to users who need both types of tokens and to users who have justjoined your organization.When you replace hardware tokens
RSA Security Console Help. Describes day-to-day administration tasks performed in the RSA Security Console interface used with RSA Authentication Manager 8.x or RSA Authentication Manager 7.1. To view Help, click the Help tab in the Security Console. RSA Authentication Manager 6.1 Administrator's Guide. Provides information about how to .
