Categories: SecurityWorkspace

RSA SecurID Cracking Claims ‘Are Codswallop’

The security arm of EMC has hit out at claims its RSA SecurID 800 tokens could be “cracked” within just 13 minutes.

Project Team Prosecco put out some research, claiming it had found a way of gaining protected data from devices like SecurID 800. Other affected devices included Siemens’ CardOS, which was cracked in only 22 minutes.

Team Prosecco claimed to have taken data by doing what is known as a “padding oracle” attack, where encrypted key import functions are exploited. In particular, they took advantage of a flaw in  a padding standard for encryption – PKCS#1v1.5 – designed to eradicate cipher predictability.

“Due to a perfect storm of (subtle, but not novel) cryptographic flaws, an attacker can extract sensitive keys from several popular cryptographic token devices. This is obviously not good, and it may have big implications for people who depend on tokens for their day-to-day security,” explained Matthew Green, cryptographer and research professor at Johns Hopkins University, in a blog post.

“The more specific (and important) lesson for cryptographic implementers is: if you’re using PKCS#1v1.5 padding for RSA encryption, cut it out.”

Not a ‘useful attack’ on SecurID

Yet RSA has refuted the claims that its token is insecure, saying the claims were exaggerated. It said “this is not a useful attack”, as  it requires access to the RSA SecurID 800 smartcard and the user’s smartcard PIN. If the attacker has those, there is no need to perform an attack at all, the security giant said.

“This is an alarming claim and should rightly concern customers who have deployed the RSA SecurID 800 authenticator. The only problem is that it’s not true,” said CTO for RSA’s identity and data protection business unit, Sam Curry, in a blog post.

“Much of the information being reported overstates the practical implications of the research, and confuses technical language in ways that make it impossible for security practitioners to assess risk associated with the products they use today accurately. The initial result is time wasted by product users and the community at large, determining the true facts of the situation.”

He claimed the research “doesn’t cover any meaningful new ground” and “does not highlight any practical risk” to users of the SecurID 800 product.

“The vulnerability outlined by the researchers makes it possible (however unlikely) that an attacker with access to the user’s smartcard device and the user’s smartcard PIN could gain access to a symmetric key or other encrypted data sent to the smartcard. It does not, however, allow an attacker to compromise private keys stored on the smartcard. Repeat, it does not allow an attacker to compromise private keys stored on the smartcard,” Curry added.

RSA’s SecurID products were in the spotlight last year when attackers managed to compromised the EMC company and steal information relating to the tokens.

Earlier this year, RSA denied there was a flaw with the algorithm for its X.509 public-key certificates, after Swiss researchers claimed a number of RSA public encryption keys offered “no security at all”. They analysed 7.1 million RSA encryption keys and found that 0.02 percent of them were improperly generated.

Are you a security boff? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

7 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

7 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

8 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

8 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

9 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

9 hours ago