On Sat, Jun 30, 2012 at 11:11 PM, Noon Silk <noonsli...@gmail.com> wrote: > From: > http://blog.cryptographyengineering.com/2012/06/bad-couple-of-years-for-cryptographic.html > > "Here's the postage stamp version: due to a perfect storm of (subtle, > but not novel) cryptographic flaws, an attacker can extract sensitive > keys from several popular cryptographic token devices. This is > obviously not good, and it may have big implications for people who > depend on tokens for their day-to-day security. [...] The more > specific (and important) lesson for cryptographic implementers is: if > you're using PKCS#1v1.5 padding for RSA encryption, cut it out. > Really. This is the last warning you're going to get." > > Direct link to the paper: > http://hal.inria.fr/docs/00/70/47/90/PDF/RR-7944.pdf - Efficient > Padding Oracle Attacks on Cryptographic Hardware by Bardou, Focardi, > Kawamoto, Simionato, Steel and Tsay "RSA says that its tokens are secure," http://www.h-online.com/security/news/item/RSA-says-that-its-tokens-are-secure-1627326.html
After a significantly improved attack on crypto hardware made the news, RSA's Sam Curry has said that the affected SecurID 800 token is secure. The token has not been cracked, and the attack is not useful, explained Curry, adding that the attack does not allow private RSA keys to be extracted from the token. ... [Wasn't RSA caught lying about their breach also? Didn't they claim the phishing campaign was an APT?] _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
