Thoughts on the RSA SecurID 800 paper

Posted by:

admin 11 years, 9 months ago

The original paper on the attack is Efficient Padding Oracle Attacks on Cryptographic Hardware' by Bardou, Focardi, Kawamoto, Simionato, Steel and Tsay> here (pdf). They have combined and optimized a handful of attacks against the PKCS#11 encryption that they claim make it possible to extract the private keys. There is a great summary by Matthew Green from John Hopkins.

First of all, WiKID does not use PKCS#11. We use AES 256 to protect the private keys on the token. Once the token is opened, we encrypt the PIN by the user's private key. We use RSA 2048 bit encryption or equivalent for this. Along with the PIN we also send an one-time use AES 256 key. The WiKID server decrypts the PIN with the user's public key and if all is ok, generates an OTP, encrypts it with the server's private key and the one-time use AES key and returns it to the token. The token decrypts the one-time passcode with the server's public key and the one-time use AES key. Note that for an encryption-based solution, WiKID is pretty damn simple.

The attack is against multi-purpose USB-based tokens. In addition to doing two-factor authentication, these keys can be used to perform smartcard-esque functionality such as unlocking an encrypted hard drive and domain authentication. It is exactly the type of system that information security professionals want: a single tool that encrypts data at rest, performs session security and user authentication. If it had a biometric reader, all the better! Granted, there are situations where that is warranted, but for most organizations it is not and blowing your budget on the "One Tool That Protects from All" is a mistake.

You might be tempted to say "Time to upgrade to a Hardware Security Module". Again, I ask, is that in your budget? And will it secure you? Here's what Matthew Green has to say:

Security through Costliness! Yeah, you may want an HSM, but in the between now and when you get the NoBudgetFantasyLand, what will you do?

Here are my take-aways:

• This is an attack against the smart card functionality. It is not "Two-factor authentication fail" so stop adding pointless mis-information.
• RSA is questioning the usefulness of the attack. They state attacker needs the smartcard and the PIN.
• RSA is also saying "This vulnerability does not yield the private key stored on the smartcard." The researchers state: "we were actually able to execute the attack and extract the correct encrypted key." One of these statements is wrong.
• Things get broken. The real test is how they get fixed.

At the same time, I can't help but think about how small the market for this type of combined two-factor authentication and USB-based smart card must be. How will this help you with BYOD? Your iDevice doesn't have a USB port. Actually, this device won't even work on MacOS or Linux.

• ← I know something that isn't two-factor authentication
• WiKID support for Cloudstack →