Latest news
According to the paper they are scheduled to present this August at the CRYPTO 2012 conference, what makes these exploits extremely usable is the time it takes them to extract the needed information: 13 minutes.
As they pointed out, the attacks are efficient enough to be practical.
"The attacks are padding oracle attacks, where error messages resulting from incorrectly padded plaintexts are used as a side channel," they explained.
"In the asymmetric encryption case, we modify and improve Bleichenbacher’s attack on RSA PKCS#1v1.5 padding, giving new cryptanalysis that allows us to carry out the ‘million message attack’ in a mean of 49 000 and median of 14 500 oracle calls in the case of cracking an unknown valid ciphertext under a 1024 bit key (the original algorithm takes a mean of 215 000 and a median of 163 000 in the same case)."
"We show how implementation details of certain devices admit an attack that requires only 9 400 operations on average (3 800 median). For the symmetric case, we adapt Vaudenay’s CBC attack, which is already highly efficient."
Among the other vulnerable devices are SafeNet's iKey 2032 and Aladdin eTokenPro, Siemens' CardOS (it takes 22 minutes to open it), and Gemalto's CyberFlex (92 minutes). Also vulnerable is the Estonian electronic ID Card, which contains two RSA key pairs.
According to the NYT, RSA's spokesman Kevin Kempskie said that the company's researchers are looking into the claims. “If there is a potential serious security vulnerability or threat to our customers, RSA will move quickly to address it," he said.
According to the researchers, Siemens has recognized the flaws and fixed some of them in the most recent version of their product. SafeNet is working on fixing some of them. The Estonian Certification Center said that as the authentication certificate is mainly used for authentication with SSL, and that their attack would be too slow to forge an SSL client response before a server timeout.
Spotlight
Is it time to professionalize information security?
Posted on 23 May 2013. | The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate.
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
