[Pki-devel] [Pki-users] researches have stolen an RSA private key from an Gemalto Cyberflex RSA Token
Andrew Wnuk
awnuk at redhat.com
Tue Jun 26 19:08:15 UTC 2012
On 06/26/2012 07:06 AM, Fabian Bertholm wrote:
> Hi,
>
> I am not sure what the implications will be but I think the redhat PKI
> system is at least using the same hardware.
> You should read this paper.
> http://hal.inria.fr/docs/00/70/47/90/PDF/RR-7944.pdf
>
> What does this mean for us as users?
The following response was provided by Robert Relyea:
For most token users, nothing. The researchers have not extracted
the RSA private key, they extracted a symmetric key that is
encrypted to the private key on the token. In environments where the
token does not support decrypt, and operate on FIPS level-3 or
above, this is big news, but for deployments which use a basic
"RSA-op" function, not even separate Sign/Decrypt functions, you can
simply decrypt the blob and get the symmetric key.
The paper is definitely worthy of attention, but for most
deployments it will have little or now impact.
>
> Best regard,
> Fabian Bertholm
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120626/45290ab7/attachment.htm>
More information about the Pki-devel
mailing list