Caveat: I am not a cryptology guy and I stopped running a security consulting practice years ago, so feel free to correct my oversimplified illustrations in the comments. Accuracy is important.
This breathless article from Ars Technica declares in large print and with a big picture that the RSA token in your pocket is the proverbial screen door on a submarine when it comes to securing your data. The problem is it is not true and the RSA 800 token was only one of 8 the researchers “tested”. The RSA token is, however, the most handsome of the lot and so therefore received both top billing and a big head shot.
At odds is this paper from a group of researchers calling themselves Project-Team Prosecco (I’m more of a red wine guy, personally). The paper itself is actually not a bad read but a little helpful spin goes a long way to exaggerating the findings of this very narrowly focused project. What the researchers accomplished was a more efficient method of attacking an already vulnerable, 20 year old padding mechanism called PKCS #1 v1.5 that while still in use by some applications was superseded in in 1998 and again in 2002. To recap: it is now 2012 and at least one of the devices tested in this paper support the newer and not so vulnerable PKCS#1 versions. If I were to let my virus scanning software age for 20 years without so much an update you would probably not have sympathy for my many infections. That said, updating your code is tough, so maybe there really is a problem. What exactly is going on here?
What was cool about the analysis was that the team managed to improve the efficiency of a side channel attack called the “Million Message Attack“.
The purpose of the Million Message Attack (MMA) is to recover a single plaintext (formatted block) given the ciphertext (encrypted block). The attacker first captures the ciphertext in transit and then uses the recipient as an oracle to recover the plaintext by sending transformed versions of the ciphertext and observing the recipient’s response.
Think of it (very crudely) like an opaque box we cannot open (the ciphertext) which has something valuable inside it (the plaintext) and some packaging material (some padding, installed by this guy named PKCS). By rapping on the side of the box and listening to the sound it makes we learn something about the padding. Tap the side of the box enough times and we eventually build a picture of the shape of the padding around the valuable thing inside. Take the shape of the box, subtract the shape of the padding and viola, you know what is inside the box. The thing is, you have to tap the box on average one million times to get that picture, hence the name “Million Message Attack”. These researchers have improved the attack to make it more like a “Tens of Thousands of Messages” gambit. Impressive, but not earth shattering due to the fact that other schemes for hiding the shape of the padding have been available for over 10 years.
Right there in the paper is to be found the limitations of their methodology. If the hacker can get hold of your token and your protected hardware they can tackle the problem in under an hour. RSA can defend herself so I’ll just stick with the easy stuff. If the hacker has your hardware, token and your pin that enables the token you have bigger problems than an outdated and vulnerable padding scheme. This is why RSA dismisses the issue as both an impractical attack and as much ado about nothing. This is not to dismiss what the researchers have done: made an old and creaky attack a LOT more efficient and speedy. That said, the paper is a warning to update your old kit, not a revelation of some new and lethal flaw in these security tokens.
This case is another reason I do not read tech news very often. Broken science and technology reporting is going to be the end of me. If you want to get the skinny, you have to read the source material yourself. If you do not understand the source material, follow a guy like Bruce Schneier. Either way, extraordinary claims require extraordinary proof. Demand it.