RSA Refutes SecurID Vulnerability Claims
“These tokens use PKCS (Public Key Cryptography Standard) #1 v1.5, a type of encryption known to be vulnerable,” said Matthew Green, a Johns Hopkins University cryptographer and professor who posted a blog on the report by European based, Team Prosecco. “You can peel off the encryption and reveal the sensitive information that the encryption is supposed to protect.”
RSA, the division of EMC that manufactures and markets SecurID, counters that argument, saying that, while the report is scientifically interesting, it does not demonstrate a useful attack against their product.
[Related: Malware Based On Zeus And SpyEye Targets Business and High-End Bank Accounts ]
“This is an attack against an industry-standard smart card protocol,” said Dan Schiappa, senior vice president of RSA’s Identity & Data Protection business. “You need physical access to the token, and you need to have the pin which unlocks the credentials to do the attack. But if you have those things, you don’t really need to break into the token. That’s everything you need to gain access legitimately.”
Schiappa also denied that SecurID’s one-time password (OTP) functionality is related to this attack, and he added that the attempted exploit does not enable the device to be cloned, nor does it enable the private key to be extracted.
“They were not able to get the keys, though they were able to get a clear text view of a single transaction, Schiappa said. “They would then need to repeat the 13 minute procedure for each protected file.”
RSA is advising customers to use PKCS #1 v2.0 or OAEP encryption, both of which are already available for the device. PKCS #1 v1.5 is apparently only included for backward compatibility.
“We are happy to respond to any questions that our channel partners might have,” said Joe Gabriel, RSA’s Channel Marketing Director. “The best advice is to adhere to our posted best practices.”
PUBLISHED JULY 27, 2012