"This is an alarming claim and should rightly concern customers who have deployed the RSA SecurID 800 authenticator," writes Sam Curry, CTO, in his corporate blog this week. "The only problem is that it's not true. Much of the information being reported overstates the practical implications of the research, and confuses technical language in ways that make it impossible for security practitioners to assess risk associated with the products they use today accurately. The initial result is time wasted by product users and the community at large, determining the facts of the situation." Curry has been reaching out to publications that RSA believes got it wrong, posting comments to that end.
However, some crypto researchers in the U.S. said the claims by the researchers based in France should not be lightly dismissed.
Matthew Green, cryptographer and researcher at Johns Hopkins University, recently wrote in his own blog that there have been "a bad couple of years for the cryptographic token industry" and that the paper out from Team Prosecco could be just the latest bad news.
When asked his views about the paper, Green states, "All of these tokens used a known-vulnerable implementation of the RSA encryption scheme. We've known that this scheme is vulnerable since about 1998. So, in that sense, there's nothing fundamentally novel here." But he says what the researchers have done is, they "showed that these tokens are vulnerable to these known attacks. There's no good reason for this, and the developers should have recognized this as a problem even before the paper was published."
Secondly, the Team Prosecco researchers "hugely sped up the attack and made it practical to attack these token devices. This is a big deal, since the tokens aren't that fast. The new attack can run in just a few minutes, rather than hours or days."
Green says he didn't intend to be "alarmist" about what the attack means since it all "depends on how tokens are used in specific applications. Nonethless, security is not about hoping for the best, it's about planning for the worst."
He concluded businesses that depend on the tokens should be concerned and "take steps to protect themselves and their customers' data."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.