Bugtraq mailing list archives
swc / ActivCard
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Thu, 17 Aug 2000 18:54:20 +0200
-- Standard disclaimer: this material contains my personal oppinions and beliefs ONLY. It has nothing to do with my employer / company. I am writing it as a private person. It doesn't have to be upright, nor doesn't even pretend to provide objective / useful information. All statements should be verified before claiming they are true. I can't and will not take any responsibility for any use / misuse of this information, nor any kind of damage / loss caused by any interpretation of it. -- First of all, something light: Simple Web Counter, quite popular cgi application (distributed eg. on Linuxberg ftp) written by Ross Thompson, is vulnerable to stack buffer overflow when parsing ctr= parameter. Considered exploitable, exposes some ISP servers. Then, something more juicy: Some time ago, we performed brief, comparative analysis of one-time passphrases returned by different tokens (SecurID and ActivCard, mainly) in short time periods (collecting successive one-time passwords returned by token). In ActivCard's case, we discovered something at least alarming. Before continuing, please note - although we tried to collect the most accurate and representative data and provide objective and realible informations, there's a chance we've made some mistakes. -- IMPORTANT STATEMENT -- Thus, please threat this message as an attempt to start futher, more complete analysis *ONLY*. You shouldn't trust these statements before making sure they're true - and we can't take *ANY* kind of responsibility they are. -- END OF IMPORTANT STATEMENT -- Theoretically, default ActivCard 8-digit display can handle up to 100,000,000 combinations. First, while analysing output returned by different tokens kindly provided to us, we thought ActivCard uses alarmingly small (within around 1-2% of possible number space), but random positive increments in random length sequences. For example: . 05314080 . 06401172 < increment around 1.1M : --- sequence of increments 07332504 < increment around 0.9M | 08957912 < increment around 1.6M | 09134516 < increment around 0.2M / 00104910 < large decrement ... \ : . But that was only the first impression. We visualised output presented by tokens, and found it isn't looking really random: By calculating first derivate of collected values (over 100 samples), we discovered these increments are determined by simple functions, that looks pretty deterministic and periodic. For example, one of them (partially responsible for that huge decrements) has simple cycle of 10). You can see it on graphics generated by our sample program (see below) as green peaks below X axis. To make sure we're not studying some rare set of conditions, we checked some other tokens, with different PIN codes. I guess all of them were previously synchronized to same server (most of them lost synchronisation in the meantime), that's why I'm asking other people to collect some information and try to verify these observatios. I included simple code to visualise one of our sample data portions. It should work on Linux/BSD box with svgalib installed: # gcc -lvga -lm vis.c -o vis # ./vis <DATA.in Actually, I guess you can use any other program, like gnuplot, Derive, Mathematica and so on to perform visualisation. Dark blue lines are discrete measurement points. White line connects values in these points, while green line shows delta (increments between previous and current value). Consequences? It make us think that it's quite easy to predict, at least in short term. It means, attacker, by intercepting short sequence of one-time passwords, can easily (at least with reasonable probability) predict next password, and enter it to obtain access to protected systems. Predictability of passwords is definetely against idea of such tokens. Of course, very often ability to sniff password means ability to intercept session, but by making such assumption in order to justify predictable output, we have to ask if we need such tokens at all, instead of static passwords?;) Even basing on our rough estimations and basic analysis, we were able to guess next number with about 35% chance within 100 attempts - while, if returned values meant to be indeterministic, this chance should be equal to 0.00001%. I guess in-depth analysis might expose more details about ActivCard algorithm - or prove we've made a mistake. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Attachment:
DATA.in
Description:
Attachment:
vis.c
Description:
Current thread:
- swc / ActivCard Michal Zalewski (Aug 18)
- Re: swc / ActivCard Alan DeKok (Aug 18)
- Re: swc / ActivCard John Fulmer (Aug 21)
- Re: swc / ActivCard Alan DeKok (Aug 21)
- Re: swc / ActivCard Michal Zalewski (Aug 21)
- Re: swc / ActivCard Vin McLellan (Aug 23)
- Re: swc / ActivCard Michal Zalewski (Aug 23)
- Re: swc / ActivCard Alan DeKok (Aug 25)
- Re: swc / ActivCard Michal Zalewski (Aug 25)
- Re: swc / ActivCard Michal Zalewski (Aug 25)
- Re: swc / ActivCard Alan DeKok (Aug 18)
- Re: swc / ActivCard Steve VanDevender (Aug 25)