Security Tokens Not So SecureCategory: Science & Technology
Posted: June 27, 2012 05:48AM
As the war between system security and hackers continue, it is always good to see exploits being found by security researchers first. Team Prosecco based at the French National Institute for Research in Computer Science and Control have found a way to efficiently breach systems that rely on USB security tokens.
The idea to security tokens is a fairly nifty one. Along with the usual security of a username and password, a secure communication channel is also used to send a random token that is generated on demand. A recommended security practice is to create new passwords on a regular basis, and security tokens mimic that behavior, except that they are generated far more often than once every few months. This attack however just operates on USB security tokens, which require a user to simply insert the USB device, instead of typing in the token. The cost of convenience is often security.
First described in 1998, the "padding oracle attack" tries to trick an encryption system in such a way as to reveal information about the encryption. The attack makes thousands of minor edits to some encrypted text, which is the system then tries to read. If the edits are not discovered, which means they are in line with the encryption being used, the attacker knows something about the encryption that may be used for a larger attack. Previously this was not a threat to security tokens because it would take 215,000 attempts to crack 1024-bit encryption, but the researchers managed to bring that down to just 9400 attempts. That many attempts can be completed in just 13 minutes.
Companies whose services and products may be affected by this have already been notified of how the attack works, so they can properly address it. Perhaps fixes will be implemented before the CRYPTO 2012 meeting next month, when the researchers will discuss their finding. Until then, the paper has been released (pdf) for people to read.