RSA says that its tokens are secure
After a significantly improved attack on crypto hardware made the news, RSA's Sam Curry has said that the affected SecurID 800 token is secure. The token has not been cracked, and the attack is not useful, explained Curry, adding that the attack does not allow private RSA keys to be extracted from the token.
According to the blog post, the attack does not affect tokens for creating one-time passwords. It affects multi-purpose devices with USB connections that, like smartcards, offer key and certificate storage and are capable of encrypting/decrypting data. RSA emphasised that the described attack is not a new one; it is based on a well-known problem and only greatly accelerates previously existing attacks. What the company fails to mention is that, more than ten years after this attack first became known, RSA – like many other crypto hardware manufacturers – is still using the vulnerable PKCS#1 v1.5 standard by default, although the more secure OAEP Padding has long been standardised in the follow-up version, PKCS#1 v2.
Even the researchers themselves state that the private RSA key on a token that is used to decrypt a message can't be compromised using this attack. Apparently, any reports to this effect (such as the one from The H and heise Security) are based on a misunderstanding. "An attacker with access to the user’s smartcard device and the user’s smartcard PIN could gain access to a symmetric key or other encrypted data sent to the smartcard", said Curry. In their FAQ on the subject, the researchers add the possibility that a private RSA key could be compromised if it was previously exported using symmetric encryption.
Curry also points out that an attacker would need the token itself as well as the PIN to obtain access. However, this doesn't mean that attackers must gain possession of the token; a trojan on an infected PC could use the API functions in the background once the user has entered the PIN to grant access to a legitimate application. Curry adds that in this case, the attack would be unnecessary, alluding to the fact that the attacker could decrypt the required data using the token's functionality.
Opinions differ on the potential risks involved. While RSA has given the all clear, considering the described scenario an "academic exercise" but not a "useful attack", Romain Bardou, one of the authors, explains that
he'd like to see RSA taking "the threat more seriously".