Computer networks, and in particular Wide Area Networks (WANs) such as the Internet, provide opportunities for the misuse and abuse of communications traveling thereover. For example, two users communicating via the WAN may have their communications intercepted and/or altered. Also, it is possible for one user to misrepresent its identity to another user. Thus, there is a need for both privacy and authentication between users of the network communicating with one another.
In many secure communication applications, a key is required in order to perform certain cryptographic operations such as encryption, decryption, authentication, etc. This key is often referred to as a seed. The seed may comprise, by way of example, an asymmetric key, a symmetric key or other secret shared by two or more entities. One such application is an authentication token, such as the RSA SecurID® authentication token commercially available from RSA Security Inc. of Bedford, Mass. The RSA SecurID® authentication token is used to provide two-factor authentication. Authorized users are issued individually-registered tokens that generate single-use token codes. For example, a different token code may be generated every 60 seconds. In a given two-factor authentication session, the user may optionally be required to enter a personal identification number (PIN) plus the current token code from his or her authentication token. This information is supplied to an authentication entity. The authentication entity may be a person, group, or corporation running a server or other processing device equipped with RSA ACE/Server® software, available from RSA Security Inc. The PIN and current token code may be transmitted to the authentication entity via an agent equipped with RSA ACE/Agent® software, also available from RSA Security Inc. If the PIN and current token code are determined to be valid, the user is granted access appropriate to his or her authorization level. Thus, the token codes are like temporary passwords that cannot be guessed by an attacker, with other than a negligible probability.
An RSA SecurID® token typically contains one or more seeds that are utilized in computing the token outputs. The authentication entity performing the validation of the token outputs requires access to one or more seeds associated with the token in question. Typically, such authentication entities have access to the same seed or set of seeds that the token uses to generate its output. Such seed(s) may be programmed into the token at the time of manufacture.