On Thu, Jul 5, 2012 at 9:17 AM, Martin Paljak <[email protected]> wrote: > On Tue, Jul 3, 2012 at 1:56 AM, Michael Nelson <[email protected]> wrote: >> It also does not matter whether you are using pkcs11 APIs, and whether you >> are doing key wrap/unwrap, and whether the data is a key. Any secret piece >> of data encrypted under an RSA cert can be potentially extracted, via any >> kind of crypto module, as long as the module will use the deprecated padding >> mechanism. > > That's a very broad claim. I guess nobody has questioned the fact that > the authors of the paper optimized a long-known weakness to become > useful, *if the conditions are right*. > Like uncontrolled access to C_UnwrapKey or C_Decrypt (in terms of > PKCS#11, as this is what the authors are using). > > It all works, if the module functions as an oracle that can be > exploited by the adversary. I don't know the SecureID token, but I do > know some other tokens described in the paper. Any reasonable token > would do owner PIN verification before trying to decrypt.
Access controls are a mitigation. There is no guarantee that the attacker doesn't have access. Note that if the attacker does have access they still have incentive to extract the actual keys: so they can continue to use them even if they lose access, and so they can avoid auditing facilities on the HSM/token. Mitigations do not detract from the cryptanalytic result. It's time to stop using weak padding signature algs. Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
