Scientists have devised an attack that takes only minutes to steal the sensitive cryptographic keys stored on a raft of hardened security devices that corporations and government organizations use to access networks, encrypt hard drives, and digitally sign e-mails.

The exploit, described in a paper to be presented at the CRYPTO 2012 conference in August, requires just 13 minutes to extract a secret key from RSA's SecurID 800, which company marketers hold out as a secure way for employees to store credentials needed to access confidential virtual private networks, corporate domains, and other sensitive environments. The attack also works against other widely used devices, including the electronic identification cards the government of Estonia requires all citizens 15 years or older to carry, as well as tokens made by a variety of other companies.

Security experts have long recognized the risks of storing sensitive keys on general purpose computers and servers, because all it takes is a vulnerability in a single piece of hardware or software for adversaries to extract the credentials. Instead, companies such as RSA; Belcamp, Maryland-based SafeNet; and Amsterdam-based Gemalto recommend the use of special-purpose USB sticks that act as a digital Fort Knox that employees can use to safeguard their credentials. In theory, keys can't be removed from the devices except during a highly controlled export process, in which they're sealed in a cryptographic wrapper that is impossible for outsiders to remove.

"They're designed specifically to deal with the case where somebody gets physical access to it or takes control of a computer that has access to it, and they're still supposed to hang onto their secrets and be secure," Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. "Here, if the malware is very smart, it can actually extract the keys out of the token. That's why it's dangerous." Green has blogged about the attack here.

If devices such as the SecurID 800 are a Fort Knox, the cryptographic wrapper is like an armored car used to protect the digital asset while it's in transit. The attack works by repeatedly exploiting a tiny weakness in the wrapper until its contents are converted into plaintext. One version of the attack uses an improved variation of a technique introduced in 1998 that works against keys using the RSA cryptographic algorithm. By subtly modifying the ciphertext thousands of times and putting each one through the import process, an attacker can gradually reveal the underlying plaintext, D. Bleichenbacher, the original scientist behind the exploit, discovered. Because the technique relies on "padding" inside the cryptographic envelope to produce clues about its contents, cryptographers call it a "padding oracle attack." Such attacks rely on so-called side-channels to see if ciphertext corresponds to a correctly padded plaintext in a targeted system.

It's this version of the attack the scientists used to extract secret keys stored on RSA's SecurID 800 and many other devices that use PKCS#11, a programming interface included in a wide variety of commercial cryptographic devices. Under the attack Bleichenbacher devised, it took attackers about 215,000 oracle calls on average to pierce a 1024-bit cryptographic wrapper. That required enough overhead to prevent the attack from posing a practical threat against such devices. By modifying the algorithm used in the original attack, the revised method reduced the number of calls to just 9,400, requiring only about 13 minutes of queries, Green said.

Other devices that store RSA keys that are vulnerable to the same attack include the Aladdin eTokenPro and iKey 2032 made by SafeNet, the CyberFlex manufactured by Gemalto, and Siemens' CardOS, according to the paper.

The researchers also use refinements of an attack introduced in 2002 by Serge Vaudenay that exploits weaknesses in what is known as CBC padding to extract symmetric keys.

The CRYPTO 2012 paper is the latest research to demonstrate serious weaknesses in devices that large numbers of organizations rely on to secure digital certificates. In 2008, a team of hardware engineers and cryptographers cracked the encryption in the Mifare Classic, a wireless card used by transit operators and other organizations in the public and private sectors to control physical access to buildings. Netherlands-based manufacturer NXP Semiconductors said at the time it had sold 1 billion to 2 billion of the devices. Since then, crypto in a steady stream of other devices, including the Keeloq security system and the MiFare DESFire MF3ICD40, has also been seriously compromised.

The latest research comes after RSA warned last year that the effectiveness of the SecurID system its customers use to secure corporate and governmental networks was compromised after hackers broke into RSA networks and stole confidential information concerning the two-factor authentication product. Not long after that, military contractor Lockheed Martin revealed a breach it said was aided by the theft of that confidential RSA data. There's nothing in the new paper that suggests the attack works on SecurID devices other than the 800 model.

RSA didn't return e-mails seeking comment for this article. According to the researchers, RSA officials are aware of the attacks first described by Bleichenbacher and are planning a fix. SafeNet and Siemens are also in the process of fixing the flaws, they said. The researchers also reported that Estonian officials have said the attack is too slow to be practical.

Update

More than 24 hours after this article was published, and 72 hours after Ars Technica sought comment from RSA, company representatives have issued a statement saying they "strongly disagree with the suggested implications of the Ars Technica article." Among other things, the statement says: "While RSA would agree that the research paper demonstrates an improvement of the padding oracle attack, the attack is better characterized as against the PKCS #1 V1.5 standard rather than any particular device."

The statement, and an accompanying blog post titled Don't believe Everything You Read ... Your RSA SecurID Token is not cracked, come after RSA officials challenged claims in this article that said the attack could be used to extract cryptographic keys from the SecurID 800. These officials now concede that the attack can be used to access symmetric keys stored on the device. They now take issue with use of the word "crack" in the headline and say that the exploit described in the original paper is an "academic exercise" and "not a useful attack."

Ars Technica stands by the reporting in this article.

Story updated to make clear SecurID 800 is the only SecurID device targeted in the new attack and to change "private keys" to "secret keys" in the sixth paragraph.