
"RSA downplayed the practical significance of the attack"
Which would mean more if they didn't 'downplay the practical significance' of every attack, including the last one which turned out to be practically significant after all.
Crypto boffins have developed an attack that's capable of extracting the protected information from hardened security devices such as RSA's SecurID 800. The research (PDF), developed by a group of computer scientists who call themselves Team Prosecco – due to be presented at the CRYPTO 2012 conference in August – is a …
I agree, but they are in a situation where lots of people review their own work along the lines of "This is it, we've totally blown open all of RSA's encryption system, this is a total game changer." when in actual fact the work can be more accurately described as "here is a very interesting attack, which may well warrant further investigation and shouldn't be discounted off-hand."
As far as I can see, this only applies to the smartcard which is packaged alongside the SecureID function in some tokens. Basically, if your SecureID token hasn't got a USB plug, it's not a smartcard and this doesn't apply. If it is a smartcard, it still doesn't apply to the SecureID function. I struggled with the paper, but I think the attack needs the PIN too -- and if you have the PIN and the token, you're in anyway.
So this may be a little overblown.
I'm not sure you can blame RSA for the quality of the users, although I suspect the real cause is IT indifference to security if the PIN's are set to 1234....
Like many security products, just having it "working" doesn't make you or your organisation secure....
"I'm not sure you can blame RSA for the quality of the users,..."
I'm not blaming RSA on that one. I'm referring to the post I replied to that said you need the pin number too. which in many cases is trivial to guess.
The number of users I set up who decided to use 1234 is quite high, as they thought the encrypted keyfob thingie was enough.
"No they're not, you can prevent users from setting PINs to 1234."
Our IT overlords have not done so. One of the many things I'd change if we weren't owned by a company so big it takes them a week to even look at an urgent problem.
> > No they're not, you can prevent users from setting PINs to 1234.
>
> Our IT overlords have not done so. One of the many things I'd change
> if we weren't owned by a company so big it takes them a week to even
> look at an urgent problem.
0000, 1111, 2222, 3333, ...
0123, 1234, 2345, 3456, ...
...
are quite bad too... But if you eliminate all the bad passwords you'll lose entropy
These token things are tougher than you might think. I came to have an "obsolete" token and decided to see what it would take to break the thing. A bored mind is a dangerous thing.
The short answer: quite a lot!
Don't try any of this at home, nor anywhere else.
I threw it at walls, jumped on it, stomped on it, ran over it with a truck, attempted to stuff it into a paper shredder, chucked it down a two story staircase repeatedly and watered it. It was still in one piece up until I chucked it down the staircase. Then the casing started to break, but the electronics still worked.
Around that time, I decided to pull the coin cell battery from it, and saved that for another project (probably re-enlivening a computer clock module or something) since it still seemed to be good.
The end finally came when I threw it in the microwave oven for a few seconds...not once, but twice. Nothing happened the first time around, and the thing still worked when I put the battery back in. The second time produced a very nice flash and bang, which was the end of the line.
Maybe you didn't ask. Now you know.
Firstly, oblig: http://xkcd.com/538/
All these things are well and good but take a long time to mature into in-the-wild attacks. Speaking in a professional capacity* we saw the breaking of the Mifare encryption many years ago but we are still yet to see any serious determined effort in the wild to exploit the knowledge.
We are still selling standard Mifare cards to customers who are quite happy and don't report problems with attacks many years after the cracking method became public knowledge.
These breaking of methods seem to be good for theory in that when a standard is broken it forces manufacturers to up their game and come up with the next more secure solution but outside government level spook games this stuff doesn't seem to have a real world impact.
*Full disclosure: I work in the plastic card security business, not the encryption business. I understand the article but not the encryption engineering behind it.
Why don't people use 10,000 bit keys?
If the size of the crackable key is always just out of reach, why not start using keys that are a hundred or a thousand times longer, instead of just a tiny bit longer that'll get cracked in a years time? Copy and paste a block of text or something. make it longer than the life of the universe to uncrack.
The amount of security you gain by increasing the key size decreases rather quickly, especially when performance is factored in. Or at least that's the traditional model/assumption. There was an interesting thread on the openGPG mailing list last month, subject ="Some people say longer keys are silly. I think they should be supported by gpg."
The OP was a nut, but it did result in some useful chatter. The main issue though is that under powered(mobile) hardware can't handle huge keysizes without creating an equally huge latency. That said, I run 4096 RSA keys on my phone without an depreciable lag, but many of the older OpenGPG members disagree.
However, NSA current guidelines establish that once you go beyond 4096 bit security (actually I think it's 3072 bit) a better option is to switch to Elliptic Curve Crypto. That is far more efficient in terms of size. Normally security is scaled in X bits of symmetric cipher, and ECC 512 bit is = to 256 bit security; ECC-256 is 128 bit security. On the other hand, RSA 4096 is somewhat like 142 bits. Doubling that to RSA 8192 only ups the security to 194 bits. That's a huge increase in keysize (overhead) for very little security. So it's half that nobody will ever need more than 64 kb of ram, and the rest is that you cannot predict a break in a cipher system that means your security is not worthwhile, and the lag you introduced may present timing attacks, and useless overhead.
Something like TWIRL cuts off 11 bits of security off of anything involving number factoring, and obviously quantum computers would shred through any RSA cipher.
@Skrrp, "We are still selling standard Mifare cards to customers who are quite happy and don't report problems with attacks many years after the cracking method became public knowledge."
Your customers aren't reporting problems because they don't know they are being attacked! People ride for free on the London Underground due to the vulnerabilities in Oyster cards. Do your customers know that you are selling them obsolete kit? Are you advising them of the risks? You really should be!
@Anonymous Coward, "Why don't people use 10,000 bit keys?"
Because the computation would be rather slow...