The news has creating great surprise in the security community, a group of computer scientist has declared that has cracked the RSA SecurID encryption model.
The news is sensational due the large diffusion of the tokens for the implementation of PKI infrastructures in both private and government sectors. RSA SecurID, is a mechanism developed by Security Dynamics (later RSA Security and now RSA, The Security Division of EMC) used to perform two-factor authentication for a user to a network resource.
In the RSA SecurID authentication schema a “token”, hardware (e.g. a USB dongle) or software (a soft token) is assigned to a computer user and it generates an authentication code at fixed intervals using a built-in clock and the card’s factory-encoded random key also called the “seed”. The seed record represents the secret key used to generate one-time passwords.
The seed is unique for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased.
The researchers Romain Bardou, Lorenzo Simionato, Graham Steel, Joe-Kai Tsay, Riccardo Focardi and Yusuke Kawamoto have described, in the paper called “Efficient padding oracle attacks on cryptographic hardware,” the vulnerability that exposes the imported keys from various cryptographic devices that rely on the PKCS#11 standard.
The team demonstrated that are sufficient just 13 minutes to crack the device’s encryption, despite the great noise of the news the experts of RSA Security have announced that they are verifying the validity of hack method.
In literature is proposed an attack method known as ‘million message attack’ MMA to recover a single plaintext (formatted block) given the ciphertext (encrypted block). The attacker first captures the ciphertext in transit and then uses the recipient as an oracle to recover the plaintext by sending transformed versions of the ciphertext and observing the recipient’s response.
Operationally, this attack requires about 2^20 messages and responses, meanwhile the refined method suggested in the paper improves the algorithm and only requires an average of 9,400 calls to reveal a key of 1024bit considering that the original algorithm takes a mean of 215 000 queries and a median of 163 000 in the same case.
Of course if confirmed the vulnerability has a similar impact of other famous token such as SafeNet’s iKey 2032 and Aladdin eTokenPro, Siemens’ CardOS and Gemalto’s CyberFlex (92 minutes). Also vulnerable is the Estonian electronic ID Card, which contains two RSA key pairs.
Today on the RSA blog has been published the article “Don’t Believe Everything You Read…Your RSA SecurID Token is Not Cracked” that denies the news on the hack of the SecurID.
The RSA experts explained that is not possible to exploit the vulnerability outlined by the researchers that according their specialists makes it possible that an attacker with access to the user’s smartcard device and the user’s smartcard PIN could gain access to a symmetric key or other encrypted data sent to the smartcard.
It does not allow an attacker to compromise private keys stored on the smartcard.
What is true is that researchers in the paper are exposing a known vulnerability in the PKCS #1 v1.5 padding mechanism, implemented by the vendors Aladdin, Gemalto, RSA, Safenet and Siemens.
Following the reply provided by RSA:
- This research is only related to the smartcard functionality of the RSA SecurID 800 token. This does not impact the One-Time Password (OTP) functionality of the token in any way.
- This does not impact the RSA SecurID 700 or any other RSA SecurID authenticators, including software tokens, apart from the smartcard functionality of the RSA SecurID 800 token as mentioned above.
- This is not a useful attack. The researchers engaged in an academic exercise to point out a specific vulnerability in the protocol, but an attack requires access to the RSA SecurID 800 smartcard (for example, inserted into a compromised machine) and the user’s smartcard PIN. If the attacker has the smart card and PIN, there is no need to perform any attack, so this research adds little additional value as a security finding.
- This vulnerability does not yield the private key stored on the smartcard.The specific vulnerability – if carried to its logical conclusion – cannot lead to successful harvesting of the private key corresponding to the public key in a user’s certificate.
Working for the sector I must maintain an impartial position anyway analyzing the documentation available it seems that the vulnerability could have an impact to the smartcard functionality of RSA SecurID 800, and I have some doubts regarding the possibility that similar attacks could be led with targeted malware the gain the access to the token, sniffing for example the PIN using a keylogger functionality. In this scenario the attacker can avoid to physically steal the card.
Of course mine are simple suppositions the future proof of concept of RSA will clarify.
The time will give us more info!
Pierluigi Paganini