On 06/26/2012 07:06 AM, Fabian Bertholm wrote: The following response was provided by Robert Relyea: For most token users, nothing. The researchers have not extracted the RSA private key, they extracted a symmetric key that is encrypted to the private key on the token. In environments where the token does not support decrypt, and operate on FIPS level-3 or above, this is big news, but for deployments which use a basic "RSA-op" function, not even separate Sign/Decrypt functions, you can simply decrypt the blob and get the symmetric key. The paper is definitely worthy of attention, but for most deployments it will have little or now impact.