0
Vereinfachte Angiffe gegen Hardware-Token
Auf Grundlage der PKCS#11-Schnittstelle haben Forscher einen effektiven und zeitsparenden Weg gefunden, den privaten Schlüssel aus mehreren weit verbreiten Hardware-Token zu extrahieren.
The exploit, described in a paper to be presented at the CRYPTO 2012 conference in August, requires just 13
minutes to extract a secret key from RSA's SecurID 800, which company marketers hold out as a secure way for
employees to store credentials needed to access confidential virtual private networks, corporate domains, and
other sensitive environments. The attack also works against other widely used devices, including the
electronic identification cards the government of Estonia requires all citizens 15 years or older to carry, as
well as tokens made by a variety of other companies.
minutes to extract a secret key from RSA's SecurID 800, which company marketers hold out as a secure way for
employees to store credentials needed to access confidential virtual private networks, corporate domains, and
other sensitive environments. The attack also works against other widely used devices, including the
electronic identification cards the government of Estonia requires all citizens 15 years or older to carry, as
well as tokens made by a variety of other companies.
http://arstechnica.com/security/2012/06/securid-crypto-attack-steals-ke ...
Das Papier: http://hal.inria.fr/docs/00/70/47/90/PDF/RR-7944.pdf
Über den generellen Verlass auf 2FA stimmt auch das Whitepaper von McAfee zu "Operation High Roller" nachdenklich:
Automated Bypass of Two-Factor Physical Authentication
All of the instances that involved High Roller malware could bypass complex multi-stage authentication.
Unlike recent attacks that collect simple form authentication data—a security challenge question,
a one-time token, or PIN—this attack can get past the extensive physical (“something you have”)
authentication required by swiping a card in a reader and typing the input into a field (see Two-factor
Authentication sidebar).
All of the instances that involved High Roller malware could bypass complex multi-stage authentication.
Unlike recent attacks that collect simple form authentication data—a security challenge question,
a one-time token, or PIN—this attack can get past the extensive physical (“something you have”)
authentication required by swiping a card in a reader and typing the input into a field (see Two-factor
Authentication sidebar).
http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 187376
Url: https://administrator.de/contentid/187376
Printed on: April 23, 2024 at 21:04 o'clock
