For years now, major corporations and government entities have relied on secure tokens — small, USB devices that display a login code and store passwords — to keep their secrets safe. However, these devices have always had problems. Now, a new research paper demonstrates that under the right conditions, these tokens can be cracked in minutes.
At issue are devices which actually store password and certificate data — so, admittedly, not like the one pictured above, but similar. We’ve written about how similar devices have been compromised before, but in that scenario the hackers went after the supplier of the login info. This new paper, innocuously titled Efficient Padding Oracle Attacks on Cryptographic Hardware by Bardou, Focardi, Kawamoto, Simionato, Steel and Tsay, takes a completely different approach.
Here’s how crypto researcher Matthew Green describes it on his blog:
Here’s the postage stamp version: due to a perfect storm of (subtle, but not novel) cryptographic flaws, an attacker can extract sensitive keys from several popular cryptographic token devices. This is obviously not good, and it may have big implications for people who depend on tokens for their day-to-day security. […] The more specific (and important) lesson for cryptographic implementers is: if you’re using PKCS#1v1.5 padding for RSA encryption, cut it out. Really. This is the last warning you’re going to get.
Here’s more or less how it works: Though certificate and password information is safe inside the USB device, it does have to send that information out for importing, exporting, and back-up purposes. To do this, the device uses an encrypted wrapper to secure the information in transit. Inside that wrapping is the secured information, along with some padding. By looking at errors, or even slight time delays, in how that padding is addressed once it leaves the token, the researchers were able to learn a lot about the encrypted contents.
This means of attack, called a “padding oracle attack,” isn’t exactly new. In fact, it’s been around for over a decade. However, it previously required millions of attempts to crack a 1024-bit encrypted wrapper. Because the tokens are slow to process the information being pelted at them by attackers, the time taken to actually successfully execute the attack had been outside the realm of feasibility.
What Bardou and his colleagues did in their research was to dramatically improve the attack, and take advantage of other weaknesses, making it faster. Instead of millions of attempts, it takes merely thousands or tens of thousands of attempts. As you can imagine, this makes cracking a token much faster — in the case of the RSA SecrID 800 tokens, about 13 minutes.
The good news is that right now this exploit is rather complicated, and in the realm of professional research. The bad news is that the devices major corporations and governments rely on to keep their secrets safe aren’t nearly as secure as we once thought. The study will be presented at this year’s CRYPTO conference in August, hopefully giving companies the heads-up they need to make some vital changes.
(Matthew Green, Ars Technica, via Techmeme, image of a SecurID token — though not one involved in the attack — via Mickey Lasky)
- Weapons maker hacked, secure tokens rendered insecure
- LinkedIn hack spews millions of passwords onto the Internet
- Even the DOJ was recently hacked
