
Scientists crack RSA SecurID 800 tokens, steal cryptographic keys - alsothings
http://arstechnica.com/security/2012/06/securid-crypto-attack-steals-keys/
======
moonboots
Direct link to researcher's blog post about the exploit:
[http://blog.cryptographyengineering.com/2012/06/bad-
couple-o...](http://blog.cryptographyengineering.com/2012/06/bad-couple-of-
years-for-cryptographic.html)

~~~
siculars
"... The 'best practice' in implementing RSA is: don't implement RSA. Other
people have done it better than you can. Go find a good implementation of RSA-
OAEP and use that. End of story..."

~~~
dchest
Is there a reason why people still use RSA instead of ECC?

~~~
tptacek
No; ECC is better. But as an implementor, if you're hoping to DIY, you're even
worse off with ECC than with RSA; there are more parameters and validations
steps you can get wrong with ECC that will result in a flawed implementation.

The security of these hardware devices is not tied to the RSA algorithm per
se. The devices might not be more resilient against these attacks simply by
using ECC instead of RSA.

Either way: don't implement RSA or ECC yourself. Use something like PGP/GPG.

~~~
sandGorgon
(warning: noob alert) just out of curiosity, is there an open source
implementation of a securid-like server/client.

I'm not even sure what the encryption technology is called, but it would be
very cool to play with.

~~~
icebraining
OATH is the competing open standard to SecurID, as far as I know, and there's
plenty of code that supports it. It's also what the Gmail 2FA and Google
Authenticator are based on (so you can use any OATH client to authenticate to
Gmail).

------
andrewaylett
Note that this is the 800 token, with a USB port, and it's the USB bit that's
been broken, not the six-digit ID part that people usually associate with
SecurID. My understanding is that the USB port enables the token to sign data
on demand, and it's this signing key that's been compromised -- not just for
SecurID, but for a whole range of similar encryption tokens.

~~~
regularfry
I don't know how these things work. Is the generator for the six-digit string
related to the signing key?

~~~
astral303
No, those two functions are unrelated. It's a two-in-one: smart card w/
signing key and one-time-password token.

------
ajross
The title is correct, but misleading if you don't know the product. "RSA
SecurID" is the name of a two-factor authentication product from RSA Security.
This isn't a crack of RSA, what they did is pull private keys out of a
"secure" device.

( _Edit: never mind, it looks like it's a chosen plaintext attack against the
RSA on the device, not a direct hack. So yeah, this is cryptographically
impressive. It looks like they're exploiting a bad padding protocol?_ )

~~~
tptacek
They're relying on two classic attacks, one on AES-CBC and one one RSA with
PKCS1.5 padding.

The former is probably the best known cryptanalytic attack in the world (it's
the one Thai Duong and Juliano Rizzo used against J2EE and .NET 2 years ago,
and there are publicly available attack tools that will attempt to exploit it
against arbitrary targets.

The latter is Bleichenbacher's, very well known in the literature but not
widely exploited (this is a crypto attack that involves some linear algebra).

The rough sketch of both attacks is similar. It exploits a target that holds a
secret key and reacts to arbitrary attacker-chosen messages. The attacker has
no knowledge of the key, but might have knowledge of a known-good message. The
attacker modifies the message in targeted ways and sends to the target; the
target attempts to decrypt the message; the decryption goes haywire (because
the attacker has modified the message without knowing the key); the target's
behavior changes visibly as a result of the decryption going haywire.

The attacker knows (1) the nature of the targeted change they made, and (2)
whether or not the target reacted weirdly (raised an error, took longer to
respond, failed to respond).

The attacker continues changing messages and collecting 2-tuples of [change,
result]. The whole cryptographic attack then analyzes the list of 2-tuples and
from it discerns some secret.

~~~
caf
The researchers in this case have actually made a significant improvement to
the Bleichenbacher attack, extending it to use division (multiplication by an
inverse) as well as multiplication as in the classic attack.

------
gouranga
When we start shipping revokable 64gb compressed one time pad data sticks,
I'll have some faith in crypto.

Until then, one eye always open.

~~~
romaniv
I think the motivation behind RSA tokens is that while you can steal them, you
shouldn't be able to silently copy one. That's not something you get with an
OTP on a USB stick, unless you invest into tamper-proof hardware.

Aside from that, I'm not sure why OTPs aren't more commonly used. They're easy
to reason about, and while you still need some protocol to use them correctly,
it would seem that protocol would be much simpler than for fancy crypto like
RSA.

~~~
tedunangst
You would need a OTP for every one you wanted to talk to. If I had a OTP for
every https site I visit, I'd need hundreds. Facebook would need hundreds of
millions. They're not going to be mailing out USB sticks on a weekly basis.

~~~
romaniv
You need an RSA token for each server you talk to as well. It's not a
replacement for asymmetric cryptography.

~~~
tptacek
You'd "need" (in the handwaviest sense, because nobody had designed a crypto
token based on one-time pads here) OTP content for every authentication
_attempt_.

------
zokier
Reducing number of iterations by two orders of magnitude is quite impressive.
But I don't like how one product is singled out when the attack seems rather
generic.

