Fresh criticism of RSA authentication creates rebuttal from vendor on reporting
Fresh criticism of RSA authentication creates rebuttal from vendor on reporting

RSA has defended itself over the Project Team Prosecco research once again after a blog described it as ‘walking around the research without directly addressing it'.

Responding to the Team Prosecco research paper, a blog by Root Labs' Nate Lawson claimed that RSA was ignoring the point that even a legitimate user should not be able to recover encrypted ‘wrapped' keys, as they can only cause the token to unwrap and use them on the operator's behalf, but not recover the keys themselves.

“So this attack definitely qualifies as privilege escalation, even if performed by the authorised user herself,” Lawson said.

He also claimed that as the attack requires local access and a PIN, and PKCS #11 is an API, that RSA ‘really has no firm knowledge how all their customers are using it'.

It said: “Some applications may proxy access to the token via a web front end or other network access. An application may cache the PIN. As with other arguments that privilege escalation attacks don't matter, it assumes a lot about the customer and attacker profile that RSA has no way of knowing.”

The blog also addressed RSA's issue that OAEP (PKCS #1 v2.0) is not subject to this vulnerability, and claimed that this doesn't address the issue raised in the paper where RSA's implementation sets flags in the key to allow the user to choose version 2.0 or 1.5.

It said: “Hopefully, they'll be fixing this despite not mentioning it here. After all, the research paper shows that many other major vendors had the same problem. My conclusion is that we have a long way to go in getting robust crypto implementations in this token market.”

In a response blog, Sam Curry, CTO for the identity and data protection business unit at RSA, said that it was not “walking around” the Project Team Prosecco research as asserted by Root Labs as it supports the research, and its problem was with the reporting on the research and its relationship to RSA.

He said: “Much of this reporting is misleading and inaccurate, leading to unwarranted fear among customers. Reports have been published that claim the cracking of RSA SecurID 800 devices, stealing of private keys and possible cloning of smart cards; all of which of course are not true. In addition, other reports link this attack against smartcards to the RSA SecurID One Time Passcode technology, which is strictly false.”

Looking directly at the Root Labs blog, Curry said that while the summary was fine, it was incomplete as one critical piece that was misunderstood was the statement that the researchers had 'unfettered access to the vendor solutions', including having the PINs needed to access the device.

He said: “Not mentioned by the authors in the paper (or subsequent reporting on the subject) is that RSA was in contact with the researchers more than a year ago. After the researchers explained some weaknesses in our implementation, we modified our PKCS #1 V1.5, and shipped an updated version of our middleware supporting the recommended changes, namely RAC 3.5.4.

“Since the research report does not indicate what version of the middleware was used in the testing, it is difficult to tell if the performance numbers reflect the current RSA middleware. Our suspicion is that the testing in the research paper was not using the new version of RAC, and that some of the speed difference is attributable to an efficient implementation of RSA encryption in the RSA SecurID 800 token which is generally a good thing, but in this case may allow the test to complete faster.”

Curry said that due to the research, it was in the process of designing a solution that will by default disable PKCS #1 V1.5, but allow customers who have this need for backward compatibility to re-enable V1.5 support.

He also said that RSA has responded to these researchers in the past with improvements to its security and welcomes the ‘honest dialogue' their efforts generate.

“We agree that the industry needs robust crypto implementations, and RSA works hard to lead the industry in this area as demonstrated by our early support for PKCS #1 V2 and OAEP.  We expect to continue in this role,” he said.

“Security of smart card devices like the RSA SecurID 800 is not compromised as long as people maintain best practices and control of their PIN. To close, and to illustrate the misinformation being published, the Root Labs blog title should have said ‘PKCS #1 V1.5 vulnerability' instead of ‘SecurID vulnerability'.”