You may have read about two recent vulnerabilities associated with RSA authentication products. Last month, a researcher specified how to copy a SecurID software token from one computer to another, which can enable an impersonation attack (Ars Technica). This week, researchers described a way to decrypt data encrypted with a SecurID smart card (again, Ars Technica). You can read RSA’s response (via Sam Curry) to the second vulnerability here.

What do these two attacks mean for RSA’s SecurID one-time password (OTP) customers? The answer is likely “not much”, particularly if they are using hardware OTP devices (the predominant form factor).

Software Token Vulnerability

In the first attack, a researcher was able to successfully copy the OTP secret (AKA symmetric key or “seed”) from one computer to another. Honestly, after reading the specifics of this attack my first reaction was … a yawn. For at least a decade, RSA has offered a software equivalent to the hardware OTP token. The company implemented additional controls to make it difficult to copy the secret from one computer to another, therefore raising the bar on an impersonation attack. The controls are better than most (if not all) than other implementations in the market. Now, a researcher has found a way to copy the OTP. While this may be the first public demonstration of this capability, I am confident that this vulnerability has existed for years.

The software OTP device has always been a cost-effective alternative to the hardware OTP, which is highly tamper-resistant form factor. But remember that software OTP devices function in an unsecure environment. Did anybody ever think that a software OTP device running on a PC is as tamper-resistant as a hardware OTP device? Did people really think that last month’s attack was not possible? How can one expect high-grade, hardware device tamper resistance when the cryptographic secret is stored on Satan’s Computer?

PKCS #11 Vulnerability

Last week’s attack leverages an older implementation of PKCS #11 middleware. PKCS #11—like Microsoft’s Cryptographic API—provides interoperability between PKI-consuming applications (for example, browsers) and smart cards. Kudos to the researchers, however, as they optimized the cryptographic attack and lowered the “work time” to make the decryption viable. While other vendors’ solutions were mentioned in the research, RSA received the most press as it is the market-leading enterprise strong authentication vendor.

But the PKCS #11 vulnerability has nothing to do with the RSA SecurID OTP system; it only impacts the PKI part of the smart card. More facts:

• The attack does not yield the user’s private asymmetric key
• The vulnerability is not present in the current middleware that RSA ships
• Most Windows applications don’t use PKCS #11. They use Microsoft Cryptography APIs (MS-CAPI or CNG) as it provides better interoperability. In my 15+ years of experience with smart cards, PKCS #11 never provided true interoperability and frequently required tweaks to support new applications.
• There are other simpler, quicker attacks that yield the same (or better) results. For example, workstation malware can capture the user’s smart card PIN and decrypt the data faster. This is the modus operandi of the Sykipot attack that I spoke about in January.

What does it mean for smart card customers, regardless of the vendor? These customers should continue to be diligent about malware protection and the deployment of the latest smart card middleware. They should consider using MS-CAPI or CNG instead of PKCS #11 on Windows workstations.

Bottom Line

No authentication mechanism is bulletproof. Even smart cards are vulnerable to attack. If you want OTP authentication that provides high identity assurance, buy a hardware OTP device. Software-based credentials that run on the  user’s computing computing device—be that a PC or a mobile phone—should be carefully considered. Software OTP devices can provide moderate identity assurance, but only after you invest a little time thinking about the device that they run on.

Additional Reading

Déjà Vu – The Sykipot Attack on Smart Cards

OTP Systems and Mobile Devices: Don’t Make The Biggest Implementation Mistake

Nothing is Bulletproof

The Evolving Intersection of Mobile Computing and Authentication (subscription required)

Road Map: Replacing Passwords with Smart Card Authentication (subscription required)

Authentication Decision Point (subscription required)

Road Map: Replacing Passwords with OTP Authentication (subscription required)