Encryption is a powerful security tool. Properly used it can render sensitive information (nearly) impossible for outsiders to use, by turning it into what looks like gibberish unless and until decrypted. But take careful note of that parenthetical "nearly."
A team of cryptanalysts has shown the importance of "nearly" by demonstrating how to extract a secret key from RSA's SecureID 800, a widely used authenticator token. As reported in a paper due to be presented at the CRYPTO 2012 Conference in August, the team succeeded in breaking the key in just 13 minutes.
Several other token devices are also vulnerable to the attack, including electronic national ID cards issued to Estonians.
The successful cypher cracking was accomplished using a technique first demonstrated in 1998, called a "padding oracle attack." In this technique, the encrypted message is run though the import process thousands of times, each time with subtle changes. The resulting patterns eventually reveal the plaintext source message.
An initial test version required 215,000 oracle calls, too many to be an effective means of practical attack. But tweaks to the algorithm reduced the number of passes to 9400, taking only 13 minutes to execute.
This demonstration does not mean that encryption is not an effective security tool. But it does show that encryption alone is not a magic-bullet solution for protecting sensitive data. In fact, there is no single magic-bullet solution that will guard data from every form of attack.
