Depois da intrusão que sofreu o ano passado, mais uma má notícia para a RSA, embora os tokens de várias outras empresas também sejam afectados:
Scientists crack RSA SecurID 800 tokens, steal cryptographic keys
"Scientists have devised an attack that takes only minutes to steal
the sensitive cryptographic keys stored on a raft of hardened security
devices that corporations and government organizations use to access
networks, encrypt hard drives, and digitally sign e-mails.
The exploit, described in a paper to be presented at the CRYPTO 2012 conference in August, requires just 13 minutes to extract a secret key from RSA's SecurID 800,
which company marketers hold out as a secure way for employees to store
credentials needed to access confidential virtual private networks,
corporate domains, and other sensitive environments. The attack also
works against other widely used devices, including the electronic
identification cards the government of Estonia requires all citizens 15
years or older to carry, as well as tokens made by a variety of other
Security experts have long recognized the risks of storing sensitive
keys on general purpose computers and servers, because all it takes is a
vulnerability in a single piece of hardware or software for adversaries
to extract the credentials. Instead, companies such as RSA; Belcamp,
Maryland-based SafeNet; and Amsterdam-based Gemalto recommend the use of
special-purpose USB sticks that act as a digital Fort Knox that
employees can use to safeguard their credentials. In theory, keys can't
be removed from the devices except during a highly controlled export
process, in which they're sealed in a cryptographic wrapper that is
impossible for outsiders to remove.
"They're designed specifically to deal with the case where somebody
gets physical access to it or takes control of a computer that has
access to it, and they're still supposed to hang onto their secrets and
be secure," Matthew Green, a professor specializing in cryptography in
the computer science department at Johns Hopkins University, told Ars.
"Here, if the malware is very smart, it can actually extract the keys
out of the token. That's why it's dangerous." Green has blogged about
the attack here.
If devices such as the SecurID 800 are a Fort Knox, the cryptographic
wrapper is like an armored car used to protect the digital asset while
it's in transit. The attack works by repeatedly exploiting a tiny
weakness in the wrapper until its contents are converted into plaintext.
One version of the attack uses an improved variation of a technique
introduced in 1998 that works against keys using the RSA cryptographic
algorithm. By subtly modifying the ciphertext thousands of times and
putting each one through the import process, an attacker can gradually
reveal the underlying plaintext, D. Bleichenbacher, the original
scientist behind the exploit, discovered. Because the technique relies
on "padding" inside the cryptographic envelope to produce clues about
its contents, cryptographers call it a "padding oracle attack." Such
attacks rely on so-called side-channels to see if ciphertext corresponds
to a correctly padded plaintext in a targeted system.
It's this version of the attack the scientists used to extract
private keys stored on RSA's SecurID 800 and many other devices that use
programming interface included in a wide variety of commercial
cryptographic devices. Under the attack Bleichenbacher devised, it took
attackers about 215,000 oracle calls on average to pierce a 1024-bit
cryptographic wrapper. That required enough overhead to prevent the
attack from posing a practical threat against such devices. By modifying
the algorithm used in the original attack, the revised method reduced
the number of calls to just 9,400, requiring only about 13 minutes of
queries, Green said.
Other devices that store RSA keys that are vulnerable to the same attack include the Aladdin eTokenPro and iKey 2032 made by SafeNet, the CyberFlex manufactured by Gemalto, and Siemens' CardOS, according to the paper.
The researchers also use refinements of an attack introduced in 2002
by Serge Vaudenay that exploits weaknesses in what is known as CBC
padding to extract symmetric keys.
The CRYPTO 2012 paper is the latest research to demonstrate serious
weaknesses in devices that large numbers of organizations rely on to
secure digital certificates. In 2008, a team of hardware engineers and
cryptographers cracked the encryption in the Mifare Classic,
a wireless card used by transit operators and other organizations in
the public and private sectors to control physical access to buildings.
Netherlands-based manufacturer NXP Semiconductors said at the time it
had sold 1 billion to 2 billion of the devices. Since then, crypto in a
steady stream of other devices, including the Keeloq security system and the MiFare DESFire MF3ICD40, has also been seriously compromised.
The latest research comes after RSA warned last year that the
effectiveness of the SecurID system its customers use to secure
corporate and governmental networks was compromised after hackers broke into RSA networks and stole confidential information concerning the two-factor authentication product. Not long after that, military contractor Lockheed Martin revealed a breach it said was aided by the theft of that confidential RSA data.
RSA didn't return e-mails seeking comment for this article. According
to the researchers, RSA officials are aware of the attacks first
described by Bleichenbacher and are planning a fix. SafeNet and Siemens
are also in the process of fixing the flaws, they said. The researchers
also reported that Estonian officials have said the attack is too slow
to be practical."