RSA tokens 'broken' in 13 minutes

Powered by SC Magazine
 

The fragility of authentication tokens against established attack vectors have been detailed.

 

The group are to present a paper on the subject at the Crypto 2012 conference in August in Santa Barbara, California. They also confirmed that the SecurID 800 and other tokens can be broken.

The paper authored by Team Prosecco (Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato, Graham Steel and Joe-Kai Tsay) detailed a demonstration on how to exploit the encrypted key import functions of a variety of different cryptographic devices to reveal the imported key.

These attacks were padding oracle attacks, a side channel allowing the user to see whether a decryption has succeeded or not.

“In the asymmetric encryption case, we modify and improve Bleichenbacher's attack on RSA PKCS#1v1.5 padding, giving new cryptanalysis that allows us to carry out the `million message attack'. For the symmetric case, we adapt Vaudenay's CBC attack, which is already highly efficient,” the paper read.

The group said that the way the C UnwrapKey command from the PKCS#11 standard is implemented on many devices allows an ‘especially powerful error oracle' that further reduces the complexity of the Bleichenbacher attack.

“In the worst case, we found devices for which our algorithm requires a median of only 3800 oracle calls to determine the value of the imported key. Vulnerable devices include eID cards, smartcards and USB tokens,” it said.

“While some theoreticians find the lack of a security proof sufficient grounds for rejecting a scheme, some practitioners find the absence of practical attacks sufficient grounds for continuing to use it. We hope that the new results with our modified algorithm will prompt editors to reconsider the inclusion of PKCS#1 v1.5 in contemporary standards such as PKCS#11.”

The group also looked at SafeNet's Aladdin eTokenPro and iKey 2032, the CyberFlex from Gemalto and Siemens' CardOS. The Siemens device took 22 minutes to crack, while the Gemalto device took 89 minutes.

These companies were notified of the research. RSA recognised that an attacker can obtain the corresponding plaintext through a padding Oracle attack against RSA SecureID faster than would be possible with a standard Bleichenbacher attack.

Siemens has also recognised the flaws and it said that it has fixed the verification of the padding and added a check of the obtained plaintext with respect to the given key template in the most recent version.

The group also found that the attacks were effective against the Estonian electronic identification cards and that it plans to test Hardware Security Modules (HSMs) soon.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


RSA tokens 'broken' in 13 minutes
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 433

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 209

Vote