Experts Say Attack on Crypto Tokens is Serious, But Not Catastrophic

A group of international academic researchers has made a major advance in the efficiency of a known cryptographic attack on some kinds of crypto hardware, enabling them to extract sensitive keys from tokens such as RSA SecurID and Aladdin eToken devices within 20 minutes. However, experts say that the attack does not represent a catastrophic failure for the tokens.

A group of international academic researchers has made a major advance in the efficiency of a known cryptographic attack on some kinds of crypto hardware, enabling them to extract sensitive keys from tokens such as RSA SecurID and Aladdin eToken devices within 20 minutes. However, experts say that the attack does not represent a catastrophic failure for the tokens.

The attack is a complex one that depends upon a number of conditions being present in the crypto hardware. The researchers, who will present their findings at Crypto ’12 in August, were able to improve the efficiency of the padding oracle attack, a known method for obtaining sensitive information from cryptographic hardware or software applications that do crypto operations. The effect of the new improvement on the attack is that an attacker could get a sensitive key used for authentication or encryption.

The attack does not break the RSA algorithm or enable the attacker to get the private half of a public-private keypair. It also doesn’t reveal the seed value for the token that’s used to generate the one-rime passwords for tokens such as the RSA SecurID devices.

In order for the attack to work, the attacker could plant malware on the target machine.

“You need access to the UnwrapKey function. This could be achieved, for example, directly by putting malware on the host machine, or indirectly if the unwrap key functionality is exposed via a network protocol,” the researchers said in an FAQ about the attack. The research was done by Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato, Graham Steel and Joe-Kai Tsay.

The modified version of the Bleichenbacher attack reveals a plaintext encrypted under an RSA key. That plaintext, in the context of the PKCS#11 UnwrapKey command, is a symmetric key. The same attack can also be used to forge a signature, though this takes longer. The Vaudenay CBC attack may reveal either a symmetric key or a private RSA key if it has been exported from a device under a symmetric cipher like AES using CBC_PAD.”

The risk to an enterprise that uses one of the affected tokens–which include RSA SecurID 800 and Aladdin eToken Pro–is dependent upon the application it’s used for, experts say.

“It depends on what the tokens are doing. Some tokens just authenticate you and some hold secrets that are very important,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University. “It’s application-specific. RSA is saying it’s possible, but in their opinion you could only get access to one file. But maybe in other situations it could be much worse.”

The last few years have seen a steady stream of advances in attacks against various cryptographic algorithms, as well as against some common implementations. Green said that while the new improvement on the padding oracle attack may not be a disaster right now, these attacks always get better.

“This is a really nice paper from a research persepctive. The improvements they’ve made took it from an academic problem to something you need to worry about,” Green said. “You should not be optimistic about these things. Assume the worst and hope for the best. Enterprises should look very carefully at their deployments and see whether they’re in a situation where this could be an issue.”

Suggested articles

Discussion

  • Anonymous on

    This is poo... See RSAs response: please see hxxp://blogs.rsa.com/curry/dont-believe-everything-you-read-your-rsa-securid-token-is-not-cracked/ 

    "The vulnerability outlined by the researchers makes it possible (however unlikely) that an attacker with access to the user’s smartcard device and the user’s smartcard PIN could gain access to a symmetric key or other encrypted data sent to the smartcard. It does not, however, allow an attacker to compromise private keys stored on the smartcard. Repeat, it does not allow an attacker to compromise private keys stored on the smartcard."

    "This is not a useful attack. The researchers engaged in an academic exercise to point out a specific vulnerability in the protocol, but an attack requires access to the RSA SecurID 800 smartcard (for example, inserted into a compromised machine) and the user’s smartcard PIN. If the attacker has the smart card and PIN, there is no need to perform any attack, so this research adds little additional value as a security finding."

     

    mmmmkay?    Bye bye Now

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.