A team of cryptographic researchers claim to have developed an attack method that can be used to recover secret keys in an acceptable time frame from cryptographic devices like smart cards, hardware security modules and USB security tokens.
The new attack method was documented in a research paper that will be presented later this year at the CRYPTO 2012 cryptology conference and significantly improves previously known oracle padding attacks against asymmetric (RSA PKCS#1 v1.5) and symmetric (AES-CBC) encryption standards.
The method works on devices like the RSA Securid 800, Aladdin eTokenPro, Gemalto Cyberflex, Safenet Ikey 2032 and Siemens CardOS that use the vulnerable encryption standards for key export and import functions
Shortcomings in the implementation of such functions on some devices further improve the performance of this attack method and reduce the time required to recover keys.
Oracle padding attacks involve repeatedly sending an intentionally modified ciphertext to a decryptor in order to analyze the differences between the errors it generates. These bits of information can eventually be used to deduce the original text.
Oracle padding attacks were considered impractical against smartcards and security tokens because they require hundreds of thousands of attempts, which would take a very long time on the slow processors found in such devices.
“We give a modified algorithm which results in an attack which is 4 times faster on average than the original, with a median attack time over 10 times faster,” the team of researchers wrote in their new paper.
The new attack is possible because many devices continue to use outdated standards for encryption operations.
For example, PKCS#1 v1.5 was published in 1993 and is known to be vulnerable to oracle padding attacks since 1998. Despite this, it was the most common encryption mechanism for key import and export functions on devices tested by the researchers.
A solution to prevent oracle padding attacks is to use OAEP mode encryption, which has been recommended for all new applications since PKCS#1 v2.1 was released in 2002, the researchers said.
“Security is a constantly shifting landscape,” said Terence Spies, chief technology officer at data protection vendor Voltage Security via email. “Securing high-value data requires staying up to date on the research landscape, and incorporating lessons from that community. Attackers are reading that research, and people securing data need to also.”