Researchers devise practical key recovery attack against smart cards, security tokens

Researchers optimize known oracle padding attacks to make them practical against cryptographic devices that use older encryption standards

A team of cryptographic researchers claim to have developed an attack method that can be used to recover secret keys in an acceptable time frame from cryptographic devices like smart cards, hardware security modules and USB security tokens.

The new attack method was documented in a research paper that will be presented later this year at the CRYPTO 2012 cryptology conference and significantly improves previously known oracle padding attacks against asymmetric (RSA PKCS#1 v1.5) and symmetric (AES-CBC) encryption standards.

The method works on devices like the RSA Securid 800, Aladdin eTokenPro, Gemalto Cyberflex, Safenet Ikey 2032 and Siemens CardOS that use the vulnerable encryption standards for key export and import functions

Shortcomings in the implementation of such functions on some devices further improve the performance of this attack method and reduce the time required to recover keys.

Oracle padding attacks involve repeatedly sending an intentionally modified ciphertext to a decryptor in order to analyze the differences between the errors it generates. These bits of information can eventually be used to deduce the original text.

Oracle padding attacks were considered impractical against smartcards and security tokens because they require hundreds of thousands of attempts, which would take a very long time on the slow processors found in such devices.

"We give a modified algorithm which results in an attack which is 4 times faster on average than the original, with a median attack time over 10 times faster," the team of researchers wrote in their new paper.

The new attack is possible because many devices continue to use outdated standards for encryption operations.

For example, PKCS#1 v1.5 was published in 1993 and is known to be vulnerable to oracle padding attacks since 1998. Despite this, it was the most common encryption mechanism for key import and export functions on devices tested by the researchers.

A solution to prevent oracle padding attacks is to use OAEP mode encryption, which has been recommended for all new applications since PKCS#1 v2.1 was released in 2002, the researchers said.

"Security is a constantly shifting landscape," said Terence Spies, chief technology officer at data protection vendor Voltage Security via email. "Securing high-value data requires staying up to date on the research landscape, and incorporating lessons from that community. Attackers are reading that research, and people securing data need to also."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts