Researchers steal keys from RSA tokens - Update
Researchers have succeeded in determining the secret RSA key from an RSA SecurID 800 Authenticator token in just 13 minutes. The attack – described in the paper "Efficient Padding Oracle Attacks on Cryptographic Hardware" by Bardou, Focardi, Kawamoto, Simionato, Steel and Tsay – is in principle nothing new. The security researchers did this by improving on the "million message attack". Often played down as being impractical, the attack, which has been around for more than 10 years and is also known as the Bleichenbacher attack, has now become a realistic possibility.
According to the paper, Aladdin eTokenPro, SafeNet's iKey 2032, Gemalto's CyberFlex, Siemens' CardOS and others are also vulnerable to this attack. Such tokens are primarily used for two-factor authentication in environments with high security requirements such as banks and government agencies. Because it is supposed to be impossible to extract the secret key from such a token, it still provides protection even where, for example, the computer on which it is used has been compromised.
The method used is a Padding Oracle Attack – a special case of an adaptive chosen ciphertext attack. It is based on the fact that encryption is always carried out in fixed length blocks and that the last block generally has to be padded out to this length. If an attacker takes a correctly encrypted message and modifies the padding, the decryption function will generally notice that the padding is invalid and issue an error message or at least behave differently than it would if the padding was valid. Only rarely will the attacker come up with valid padding by chance. Given enough of these chance hits, an attacker can determine the secret key used for encryption.
Despite the fact that this problem has been known about for several years, many companies are still using the type of padding (specified by the RSA-PKCS#1 v1.5 standard) which leads to susceptibility to this kind of attack. Cryptography specialist Matthew Green has called for this weak algorithm to finally be retired and replaced with the significantly better RSA-OAEP, used in PKCS#1 versions 2 and later. In a blog posting, he tells companies producing cryptographic systems: "This is the last warning you're going to get."
Update 27-06-12: The SecurID 800 token doesn't simply create one-time passwords like the most widely-used RSA tokens, but also stores certificates and the corresponding keys. An attack could be executed by requesting a copy of the key through the backup API and then re-importing it. The key could be decrypted using a Padding Oracle Attack – which, on average, is successful after less than 10,000 tries – compromising the security of the certificate stored on the token.
Update 27-06-12 20:00: RSA has now taken a position on the report saying that it is not possible to compromise the secret key stored on the token with this attack. See "RSA says that its tokens are secure".