WebApp Sec mailing list archives
RE: one-time password (OTP) authentication
From: "Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>
Date: Mon, 20 Jun 2005 10:40:19 +0200
Hi Andrew
OTP and other forms of "strong" authentication (time based key fobs, USB tokens, smart cards, certificates, etc) are all subject to MITM attacks as the token can be re-used for another unauthorized transaction within the validity window.
I disagree with your statement that they are all subject to the same kind of MITM attacks "by nature". Especially asymmetric challenge response protocols that involve random numbers generated on both sides and other cryptographical components on the protocol level are not subject to MITM themselves. One example are SSL client certificate authentications but there are also others. The token itself cannot be replayed and the attacker cannot derive the secret information he would have to know because it is part of the SSL protocol to initiate a secure session based on a symmetric key that is derived from the asymmetric token exchange. It is not like capturing a SecurID number with a one or two minute time frame. Of course, compromising the client by manipulating the browser's SSL stack or by having a user who clicks away certificate warnings etc. would still present a possible way to attack such a type of authentication scheme. And the protection of private keys etc. is crucial. However, that is not MITM... It think it's very important to distinguish different types of strong authentication when discussing their weaknesses. There are at least the following different categories: - OTP without session binding - OTP with session binding - Asymmetric challenge response protocols (not just asymmetric data exchange) Don't get me wrong, all of these schemes have their potential weaknesses, especially when the client side gets fully compromised. But they are not just all vulnerable to the same MITM attack procedure. The different types require different manipulations to be successfully compromised by an attacker. Best regards Cyrill Osterwalder
-----Original Message----- From: Andrew van der Stock [mailto:vanderaj () greebo net] Sent: Sonntag, 19. Juni 2005 15:23 To: webappsec () securityfocus com Subject: Re: one-time password (OTP) authentication OTP and other forms of "strong" authentication (time based key fobs, USB tokens, smart cards, certificates, etc) are all subject to MITM attacks as the token can be re-used for another unauthorized transaction within the validity window. If the user gets a dialog that looks reasonable and says "yep, allow the cert to be used" or "yep, allow the USB token to issue a code", the attacker still has a valid token which they can use if they have the browser wired up or trojaned. Plus they have a user interface which could be copied (think XUL or XAML or the Apple "please type the admin password" dialog). The only way around this is transaction signing where the user keys in something (say the transaction ID or balance or something) and that changes the OTP output making it relevant to only the application which needs that output. I like the transaction signing token to be completely separate to the client machine as we can't trust the client machine. Not only is the client machine under the control of a user (who may or may not be our friend), there's spyware and other rubbish on there which compromise the trust base. Connecting tokens via Irda, USB or bluetooth may seem like a cool idea, but honestly, it reduces the security of the solution in my opinion. Plus anything with local drivers is a support nightmare. Andrew
Current thread:
- one-time password (OTP) authentication james (Jun 18)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- Re: one-time password (OTP) authentication Andrew van der Stock (Jun 19)
- Re: one-time password (OTP) authentication Joseph Miller (Jun 20)
- <Possible follow-ups>
- RE: one-time password (OTP) authentication Cyrill Osterwalder (Jun 20)
- RE: one-time password (OTP) authentication maburns (Jun 20)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 21)
- Re: one-time password (OTP) authentication Achim Hoffmann (Jun 21)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- RE: one-time password (OTP) authentication maburns (Jun 20)