Does Two-factor Authentication Need to Be Fixed?

Did "Team Prosecco" score a goal against two-factor authentication?

Another debate that has stirred up against two-factor authentication came when cryptographic researchers based in France at the National Institute of Research in Computer Science (INRIA) issued a highly technical paper claiming they've found practical means to speed up attacks on token devices. The paper in which they describe this carries the geeky title "Efficient Padding Oracle Attacks on Cryptographic Hardware."

Calling themselves "Team Prosecco," the group intends to discuss their findings more at the upcoming CRYPTO conference. In saying they could extract encryption keys from tokens such as those from Alladin, Gemalto, RSA SecurID , Safenet and Siemens, the researchers stirred up a hornet's nest of response in some quarters.

RSA, the security division of EMC, ardently rebutted Team Prosecco's findings about the SecurID token, which Team Prosecco said it had narrowed an attack time to 13 minutes. Tokens from other manufacturers were also called vulnerable to attack by Team Proseccor, but attack times were said to be longer, ranging from 21 minutes to 92 minutes.

"This is an alarming claim and should rightly concern customers who have deployed the RSA SecurID 800 authenticator," writes Sam Curry, CTO, in his corporate blog this week. "The only problem is that it's not true. Much of the information being reported overstates the practical implications of the research, and confuses technical language in ways that make it impossible for security practitioners to assess risk associated with the products they use today accurately. The initial result is time wasted by product users and the community at large, determining the facts of the situation." Curry has been reaching out to publications that RSA believes got it wrong, posting comments to that end.

However, some crypto researchers in the U.S. said the claims by the researchers based in France should not be lightly dismissed.

Matthew Green, cryptographer and researcher at Johns Hopkins University, recently wrote in his own blog that there have been "a bad couple of years for the cryptographic token industry" and that the paper out from Team Prosecco could be just the latest bad news.

When asked his views about the paper, Green states, "All of these tokens used a known-vulnerable implementation of the RSA encryption scheme. We've known that this scheme is vulnerable since about 1998. So, in that sense, there's nothing fundamentally novel here." But he says what the researchers have done is, they "showed that these tokens are vulnerable to these known attacks. There's no good reason for this, and the developers should have recognized this as a problem even before the paper was published."

Secondly, the Team Prosecco researchers "hugely sped up the attack and made it practical to attack these token devices. This is a big deal, since the tokens aren't that fast. The new attack can run in just a few minutes, rather than hours or days."

Green says he didn't intend to be "alarmist" about what the attack means since it all "depends on how tokens are used in specific applications. Nonethless, security is not about hoping for the best, it's about planning for the worst."

He concluded businesses that depend on the tokens should be concerned and "take steps to protect themselves and their customers' data."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Subscribe to the Security Watch Newsletter

Comments