Team Prosecco dismantles security tokens

Jun 27, 2012 by Nancy Owano report
RSA SecurID SID800 Authenticator Token

(Phys.org) -- As password systems alone prove inadequate to protect information on computers against hackers, security customers have taken the advice of vendors to step up to tokens, those online security credentials that add an extra layer of protection at login. The token is designed to generate a six-digit security code that is unique to the person’s credential. The rise of two-factor authentication has been accepted as the way to go for governments and corporations trying to bolster their information security. This week, though, leading token vendors are hearing news they can do without.

An international team of computer scientists figured out how to extract the keys from RSA's SecurID 800 model in as few as thirteen minutes.

The token heists were performed by a group calling themselves Team Prosecco. If they could figure the way to break in so quickly, then that places troubling questions about the efficiency of cryptographic keys being used to log into sensitive corporate and government networks, the kinds of keys stored on “hardened” security devices used by governments and businesses.

One argument often heard among security vendors defending their token systems is that attempts, though possible, would take so long and be so difficult that risks are minimal.

The team reports that their token attack also works against older versions of the Estonian national ID card. In the case of the Estonians ID system, they were able to figure out how to forge a digital signature in about 48 hours.

Their method consisted of both modifying and improving the “Bleichenbacher” attack on RSA PKCS#1v1.5 padding.

Bleichenbacher's padding oracle attack was published in 1998. The method they use is called the “padding oracle attack.” It involves slightly modifying encrypted text thousands of times. If the system views the extra padding as a valid encryption, the attacker learns something about the original text until eventually the whole thing becomes known.

As the researchers report, “We show how to exploit the encrypted key import functions of a variety of different cryptographic devices to reveal the imported key. The attacks are padding oracle attacks, where error messages resulting from incorrectly padded plaintexts are used as aside channel.”

When the oracle (server) responds, it leaks data that may allow attackers to decrypt messages without knowing the encryption key. The team has refined the method to the point where the number of calls is significantly reduced to reveal the key.

The attack also works against other widely used security tokens than just that one particular model, SecurID 800, from RSA. All of the companies involved were notified before the paper was published, says the research team.

RSA's SecurID 800 model took the shortest time to open at thirteen minutes. A device model made by Siemens took 22 minutes. A device model made by Netherlands-based Gemalto took 92 minutes.

The researchers will be describing their successful exploits in a paper presented at the CRYPTO 2012 (the 32nd International Cryptology Conference) in Santa Barbara, California, in August. The accepted paper is titled “Efficient Padding Oracle Attacks on Cryptographic Hardware.” The document is an Inria (the French National Computer Science Research Institute) study.

Not all security watchers, however, are convinced that the study is useful. An RSA blog posting, written by Sam Curry, said "Don't believe everything you read," and that "Your SecurID Token is Not Cracked." He went on to say that "This is not a useful attack. The researchers engaged in an academic exercise to point out a specific vulnerability in the protocol, but an attack requires access to the RSA SecurID 800 smartcard (for example, inserted into a compromised machine) and the user’s smartcard PIN. If the attacker has the smart card and PIN, there is no need to perform any attack, so this research adds little additional value as a finding."

Explore further: LinkedIn membership hits 300 million

Related Stories

RSA Security offers to replace SecurID tokens: WSJ

Jun 07, 2011

US computer security titan RSA Security is offering to replace the SecurID tokens used by millions of corporate workers to securely log on to their computers, The Wall Street Journal reported.

EMC's anti-hacking division hacked

Mar 18, 2011

The world's biggest maker of data storage computers on Thursday said that its security division has been hacked, and that the intruders compromised a widely used technology for preventing computer break-ins.

Security firm learns limits of security tech

Apr 06, 2011

(AP) -- Top-level data breaches often start at the bottom of the ladder. That's a lesson RSA, one of the world's premier computer security firms, learned the hard way.

Recommended for you

LinkedIn membership hits 300 million

8 hours ago

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

14 hours ago

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

18 hours ago

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

M_N
2.3 / 5 (3) Jun 27, 2012
Interesting article, but I agree with Sam Curry that it looks like this isn't a big security risk, since physical access to the token is required.

Still, given the massive security breach at RSA last year, I'd be looking at another provider if I was in charge of IT security in the company I work for...
antialias_physorg
not rated yet Jun 27, 2012
my bad...wrong analysis

But maybe the PIN is enough as you can get the token in the image for 825 dollars on Amazon.

Ginobean
not rated yet Jun 27, 2012
So I think the next step might be to simulate the case where a hacker has physical access to the secure card, but doesn't have the PIN. How long would it take the hacker to duplicate that secure card and discover the PIN ? I am thinking of a real-world scenario where a compromised employee may have access to someone else's secure card for a limited amount of time (e.g. someone leaving their secure card on their desk at work).
antialias_physorg
not rated yet Jun 27, 2012
I once used a similar system for VPN access to a client's network. The PIN had 4 digits.

So it would take (worst case) 9999*13 minutes (about 90 days ... or on average 45 days). The really bad thing about these cards (not the one on in the image) was that you typed in the PIN on a number field on the card. After about a week of usage it became blindingly obvious which digits were part of your key (so in this case the number of possible PINs was reduced to 24 - making it possible to break the code via the above algorithm, on average, in 2.5 hours.)

More news stories

LinkedIn membership hits 300 million

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Impact glass stores biodata for millions of years

(Phys.org) —Bits of plant life encapsulated in molten glass by asteroid and comet impacts millions of years ago give geologists information about climate and life forms on the ancient Earth. Scientists ...