RSA Token Cloning? Not even close…

Yesterday, on well known polish security blog, there was published new entry stated (in translation):

“Team of several scientists just demonstated method for `cloning` RSA tokens”

This scary post linked to this article.
I have read the original article, prepared by Bardou, Focardi, Kawamoto, Simionato, Steel and Tsay. This was interesting lecture, what describes several improvements to well known attack by D. Bleichenbacher. This attack allows to obtain sensitive material by serie of calls to standard PKCS#11 API function C_UnwrapKey.

First imporant thing to explain is term Sensitive material. This is information existing outside the token in encrypted form. Most often this are symmetric cryptographical keys (e.g. AES keys), which are used for fast enryption of big amount of data. It is done this way, because symetrical encryption is much faster then asymetrical). Of course, the sensitive material can be also data for direct RSA encryption.
API Calls used in referenced document are indented for managing symetrical keys, so the term Key is used instead Sensitive material. That is why it can be misunderstanded as RSA keys can be compromised. It doesn’t work this way!

The originally described method was slow enough to call it “milion messages attack”, and it was marginalized. New poposition of impovements is importand because it significantly decreases required amount of token calls in really tricky way. The final amout of calls is small enough to successful attack in few hours or often minutes.

Continue reading