An international team of scientists that goes by the name of “Team Prosecco” claims to have devised attacks that manage to extract the secret cryptographic key from RSA’s SecurID 800 token, as well as many other similar commercial solutions.
According to the paper they are scheduled to present this August at the CRYPTO 2012 conference, what makes these exploits extremely usable is the time it takes them to extract the needed information: 13 minutes.
As they pointed out, the attacks are efficient enough to be practical.
“The attacks are padding oracle attacks, where error messages resulting from incorrectly padded plaintexts are used as a side channel,” they explained.
“In the asymmetric encryption case, we modify and improve Bleichenbacher’s attack on RSA PKCS#1v1.5 padding, giving new cryptanalysis that allows us to carry out the “million message attack’ in a mean of 49 000 and median of 14 500 oracle calls in the case of cracking an unknown valid ciphertext under a 1024 bit key (the original algorithm takes a mean of 215 000 and a median of 163 000 in the same case).”
“We show how implementation details of certain devices admit an attack that requires only 9 400 operations on average (3 800 median). For the symmetric case, we adapt Vaudenay’s CBC attack, which is already highly efficient.”
Among the other vulnerable devices are SafeNet’s iKey 2032 and Aladdin eTokenPro, Siemens’ CardOS (it takes 22 minutes to open it), and Gemalto’s CyberFlex (92 minutes). Also vulnerable is the Estonian electronic ID Card, which contains two RSA key pairs.
According to the NYT, RSA’s spokesman Kevin Kempskie said that the company’s researchers are looking into the claims. “If there is a potential serious security vulnerability or threat to our customers, RSA will move quickly to address it,” he said.
According to the researchers, Siemens has recognized the flaws and fixed some of them in the most recent version of their product. SafeNet is working on fixing some of them. The Estonian Certification Center said that as the authentication certificate is mainly used for authentication with SSL, and that their attack would be too slow to forge an SSL client response before a server timeout.