For years private companies and government agencies have given their employees a card or token that produces a constantly changing set of numbers. Those devices became the preferred method of securing confidential communications online. No one could have access to the data without a secret key generated by the device.
Computer scientists say they have now figured out how to extract that key from a widely used RSA electronic token in as little as 13 minutes.
The scientists, who call themselves Team Prosecco, said their experiment can pry open one model of the RSA dongle — the SecurID 800 — as well as similar tools produced by other companies. They published their findings in a research paper to be presented at a cryptography conference in August; the findings were first reported Monday morning by Ars Technica, a technology news site.
RSA Security, a division of the data storage company EMC, is one of the largest makers of the security fobs. A spokesman for the company, Kevin Kempskie, said that its own computer scientists were studying the paper to determine “if this research is valid.”
“RSA takes these kinds of research reports seriously,” Mr. Kempskie said by e-mail. “If there is a potential serious security vulnerability or threat to our customers, RSA will move quickly to address it.”
This is not the first time the security of RSA’s tokens has been challenged. In March 2011, RSA announced that hackers had breached its data protection. A few months later, the nation’s largest military contractor, Lockheed Martin, said its computer network had been penetrated by thieves exploiting that RSA hack.
The RSA data breach was widely publicized, principally because its dongles are used by many Fortune 500 companies and government agencies to give their employees access to their networks from home or while traveling.
But long before that, cryptographers repeatedly warned that the standards used by these encryption tools were antiquated and susceptible to attack.
“It would be nice if manufacturers paid more heed to what they might see only as theoretical attacks and were more cautious,” said Chris Peikert, a theoretical cryptographer who teaches computer science at the Georgia Institute of Technology. “In an ideal world this problematic standard would have been transitioned away from years ago.”
One of the reasons this standard has persisted, Mr. Peikert said, is that until now, researchers and manufacturers reckoned that it would take a long time to crack the key — and would therefore be impractical for hackers.
The most recent paper changes that calculation. The scientists, almost all of whom are based in research institutes and universities in Europe, said they created another algorithm that allows five kinds of security hardware devices to be cracked, in fairly short periods of time.
“The attacks are efficient enough to be practical,” they wrote in the paper. They also wrote that they hoped the industry would reconsider the sustained use of these security standards.
The RSA token took the shortest time to open: 13 minutes. A device made by Siemens took slightly longer: 22 minutes. A third device, made by Gemalto, based in the Netherlands, took 92 minutes.
Other security standards are considered to be safer, researchers said, but security companies have been dealing with more urgent matters. “Cryptography breaks very slowly. It’s the molasses of computer science,” said the security researcher Dan Kaminsky. “There are many technologies we abstractly know are problematic and we prioritize fixing them less than things that are obviously on fire.”
Source: bits.blogs.nytimes.com
0 σχόλια:
Post a Comment