Team Prosecco dismantles security tokens

Jun 27, 2012 by Nancy Owano report
RSA SecurID SID800 Authenticator Token

(Phys.org) -- As password systems alone prove inadequate to protect information on computers against hackers, security customers have taken the advice of vendors to step up to tokens, those online security credentials that add an extra layer of protection at login. The token is designed to generate a six-digit security code that is unique to the person’s credential. The rise of two-factor authentication has been accepted as the way to go for governments and corporations trying to bolster their information security. This week, though, leading token vendors are hearing news they can do without.

An international team of computer scientists figured out how to extract the keys from RSA's SecurID 800 model in as few as thirteen minutes.

The token heists were performed by a group calling themselves Team Prosecco. If they could figure the way to break in so quickly, then that places troubling questions about the efficiency of cryptographic keys being used to log into sensitive corporate and government networks, the kinds of keys stored on “hardened” security devices used by governments and businesses.

One argument often heard among security vendors defending their token systems is that attempts, though possible, would take so long and be so difficult that risks are minimal.

The team reports that their token attack also works against older versions of the Estonian national ID card. In the case of the Estonians ID system, they were able to figure out how to forge a digital signature in about 48 hours.

Their method consisted of both modifying and improving the “Bleichenbacher” attack on RSA PKCS#1v1.5 padding.

Bleichenbacher's padding oracle attack was published in 1998. The method they use is called the “padding oracle attack.” It involves slightly modifying encrypted text thousands of times. If the system views the extra padding as a valid encryption, the attacker learns something about the original text until eventually the whole thing becomes known.

As the researchers report, “We show how to exploit the encrypted key import functions of a variety of different cryptographic devices to reveal the imported key. The attacks are padding oracle attacks, where error messages resulting from incorrectly padded plaintexts are used as aside channel.”

When the oracle (server) responds, it leaks data that may allow attackers to decrypt messages without knowing the encryption key. The team has refined the method to the point where the number of calls is significantly reduced to reveal the key.

The attack also works against other widely used security tokens than just that one particular model, SecurID 800, from RSA. All of the companies involved were notified before the paper was published, says the research team.

RSA's SecurID 800 model took the shortest time to open at thirteen minutes. A device model made by Siemens took 22 minutes. A device model made by Netherlands-based Gemalto took 92 minutes.

The researchers will be describing their successful exploits in a paper presented at the CRYPTO 2012 (the 32nd International Cryptology Conference) in Santa Barbara, California, in August. The accepted paper is titled “Efficient Padding Oracle Attacks on Cryptographic Hardware.” The document is an Inria (the French National Computer Science Research Institute) study.

Not all security watchers, however, are convinced that the study is useful. An RSA blog posting, written by Sam Curry, said "Don't believe everything you read," and that "Your SecurID Token is Not Cracked." He went on to say that "This is not a useful attack. The researchers engaged in an academic exercise to point out a specific vulnerability in the protocol, but an attack requires access to the RSA SecurID 800 smartcard (for example, inserted into a compromised machine) and the user’s smartcard PIN. If the attacker has the smart card and PIN, there is no need to perform any attack, so this research adds little additional value as a finding."

Explore further: Fitbit to Schumer: We don't sell personal data

Related Stories

RSA Security offers to replace SecurID tokens: WSJ

Jun 07, 2011

US computer security titan RSA Security is offering to replace the SecurID tokens used by millions of corporate workers to securely log on to their computers, The Wall Street Journal reported.

EMC's anti-hacking division hacked

Mar 18, 2011

The world's biggest maker of data storage computers on Thursday said that its security division has been hacked, and that the intruders compromised a widely used technology for preventing computer break-ins.

Security firm learns limits of security tech

Apr 06, 2011

(AP) -- Top-level data breaches often start at the bottom of the ladder. That's a lesson RSA, one of the world's premier computer security firms, learned the hard way.

Recommended for you

US warns shops to watch for customer data hacking

5 hours ago

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

Fitbit to Schumer: We don't sell personal data

19 hours ago

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

Aug 22, 2014

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

Aug 22, 2014

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

Aug 22, 2014

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

Google to help boost Greece's tourism industry

Aug 21, 2014

Internet giant Google will offer management courses to 3,000 tourism businesses on the island of Crete as part of an initiative to promote the sector in Greece, industry union Sete said on Thursday.

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

M_N
2.3 / 5 (3) Jun 27, 2012
Interesting article, but I agree with Sam Curry that it looks like this isn't a big security risk, since physical access to the token is required.

Still, given the massive security breach at RSA last year, I'd be looking at another provider if I was in charge of IT security in the company I work for...
antialias_physorg
not rated yet Jun 27, 2012
my bad...wrong analysis

But maybe the PIN is enough as you can get the token in the image for 825 dollars on Amazon.

Ginobean
not rated yet Jun 27, 2012
So I think the next step might be to simulate the case where a hacker has physical access to the secure card, but doesn't have the PIN. How long would it take the hacker to duplicate that secure card and discover the PIN ? I am thinking of a real-world scenario where a compromised employee may have access to someone else's secure card for a limited amount of time (e.g. someone leaving their secure card on their desk at work).
antialias_physorg
not rated yet Jun 27, 2012
I once used a similar system for VPN access to a client's network. The PIN had 4 digits.

So it would take (worst case) 9999*13 minutes (about 90 days ... or on average 45 days). The really bad thing about these cards (not the one on in the image) was that you typed in the PIN on a number field on the card. After about a week of usage it became blindingly obvious which digits were part of your key (so in this case the number of possible PINs was reduced to 24 - making it possible to break the code via the above algorithm, on average, in 2.5 hours.)