A group of international academic researchers has made a major advance in the efficiency of a known cryptographic attack on some kinds of crypto hardware, enabling them to extract sensitive keys from tokens such as RSA SecurID and Aladdin eToken devices within 20 minutes. However, experts say that the attack does not represent a catastrophic failure for the tokens.
The attack is a complex one that depends upon a number of conditions being present in the crypto hardware. The researchers, who will present their findings at Crypto ’12 in August, were able to improve the efficiency of the padding oracle attack, a known method for obtaining sensitive information from cryptographic hardware or software applications that do crypto operations. The effect of the new improvement on the attack is that an attacker could get a sensitive key used for authentication or encryption.
The attack does not break the RSA algorithm or enable the attacker to get the private half of a public-private keypair. It also doesn’t reveal the seed value for the token that’s used to generate the one-rime passwords for tokens such as the RSA SecurID devices.
In order for the attack to work, the attacker could plant malware on the target machine.
“You need access to the
UnwrapKey function. This could be achieved, for example, directly by putting malware on the host machine, or indirectly if the unwrap key functionality is exposed via a network protocol,” the researchers said in an FAQ about the attack. The research was done by Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato, Graham Steel and Joe-Kai Tsay.
“The modified version of the Bleichenbacher attack reveals a plaintext encrypted under an RSA key. That plaintext, in the context of the PKCS#11
UnwrapKey command, is a symmetric key. The same attack can also be used to forge a signature, though this takes longer. The Vaudenay CBC attack may reveal either a symmetric key or a private RSA key if it has been exported from a device under a symmetric cipher like AES using
The risk to an enterprise that uses one of the affected tokens–which include RSA SecurID 800 and Aladdin eToken Pro–is dependent upon the application it’s used for, experts say.
“It depends on what the tokens are doing. Some tokens just authenticate you and some hold secrets that are very important,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University. “It’s application-specific. RSA is saying it’s possible, but in their opinion you could only get access to one file. But maybe in other situations it could be much worse.”
The last few years have seen a steady stream of advances in attacks against various cryptographic algorithms, as well as against some common implementations. Green said that while the new improvement on the padding oracle attack may not be a disaster right now, these attacks always get better.
“This is a really nice paper from a research persepctive. The improvements they’ve made took it from an academic problem to something you need to worry about,” Green said. “You should not be optimistic about these things. Assume the worst and hope for the best. Enterprises should look very carefully at their deployments and see whether they’re in a situation where this could be an issue.”