RSA tokens 'broken' in 13 minutes

Powered by SC Magazine
 

The fragility of authentication tokens against established attack vectors have been detailed.

 

The group are to present a paper on the subject at the Crypto 2012 conference in August in Santa Barbara, California. They also confirmed that the SecurID 800 and other tokens can be broken.

The paper authored by Team Prosecco (Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato, Graham Steel and Joe-Kai Tsay) detailed a demonstration on how to exploit the encrypted key import functions of a variety of different cryptographic devices to reveal the imported key.

These attacks were padding oracle attacks, a side channel allowing the user to see whether a decryption has succeeded or not.

“In the asymmetric encryption case, we modify and improve Bleichenbacher's attack on RSA PKCS#1v1.5 padding, giving new cryptanalysis that allows us to carry out the `million message attack'. For the symmetric case, we adapt Vaudenay's CBC attack, which is already highly efficient,” the paper read.

The group said that the way the C UnwrapKey command from the PKCS#11 standard is implemented on many devices allows an ‘especially powerful error oracle' that further reduces the complexity of the Bleichenbacher attack.

“In the worst case, we found devices for which our algorithm requires a median of only 3800 oracle calls to determine the value of the imported key. Vulnerable devices include eID cards, smartcards and USB tokens,” it said.

“While some theoreticians find the lack of a security proof sufficient grounds for rejecting a scheme, some practitioners find the absence of practical attacks sufficient grounds for continuing to use it. We hope that the new results with our modified algorithm will prompt editors to reconsider the inclusion of PKCS#1 v1.5 in contemporary standards such as PKCS#11.”

The group also looked at SafeNet's Aladdin eTokenPro and iKey 2032, the CyberFlex from Gemalto and Siemens' CardOS. The Siemens device took 22 minutes to crack, while the Gemalto device took 89 minutes.

These companies were notified of the research. RSA recognised that an attacker can obtain the corresponding plaintext through a padding Oracle attack against RSA SecureID faster than would be possible with a standard Bleichenbacher attack.

Siemens has also recognised the flaws and it said that it has fixed the verification of the padding and added a check of the obtained plaintext with respect to the given key template in the most recent version.

The group also found that the attacks were effective against the Estonian electronic identification cards and that it plans to test Hardware Security Modules (HSMs) soon.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


RSA tokens 'broken' in 13 minutes
 
 
 
Top Stories
Business-focused Windows 10 brings back the Start menu
Microsoft skips 9 for the "greatest enterprise platform ever".
 
Feeling Shellshocked?
Stay up to date with patching for the Bash bug.
 
Amazon forced to reboot EC2 to patch Xen bug
Rolling restarts over next week.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  66%
 
Advanced persistent threats
  4%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1364

Vote