RE: one-time password (OTP) authentication

["Cyrill Osterwalder" <cyrill.osterwalder () seclutions com>]

Hi Andrew

> OTP and other forms of "strong" authentication (time based key fobs,  
> USB tokens, smart cards, certificates, etc) are all subject to MITM  
> attacks as the token can be re-used for another unauthorized  
> transaction within the validity window.

I disagree with your statement that they are all subject to the same kind of
MITM attacks "by nature".

Especially asymmetric challenge response protocols that involve random
numbers generated on both sides and other cryptographical components on the
protocol level are not subject to MITM themselves. One example are SSL client
certificate authentications but there are also others. The token itself
cannot be replayed and the attacker cannot derive the secret information he
would have to know because it is part of the SSL protocol to initiate a
secure session based on a symmetric key that is derived from the asymmetric
token exchange. It is not like capturing a SecurID number with a one or two
minute time frame.

Of course, compromising the client by manipulating the browser's SSL stack or
by having a user who clicks away certificate warnings etc. would still
present a possible way to attack such a type of authentication scheme. And
the protection of private keys etc. is crucial. However, that is not MITM...

It think it's very important to distinguish different types of strong
authentication when discussing their weaknesses. There are at least the
following different categories:

- OTP without session binding
- OTP with session binding
- Asymmetric challenge response protocols
  (not just asymmetric data exchange)

Don't get me wrong, all of these schemes have their potential weaknesses,
especially when the client side gets fully compromised. But they are not just
all vulnerable to the same MITM attack procedure. The different types require
different manipulations to be successfully compromised by an attacker.

Best regards
Cyrill Osterwalder


 

> -----Original Message-----
> From: Andrew van der Stock [mailto:vanderaj () greebo net] 
> Sent: Sonntag, 19. Juni 2005 15:23
> To: webappsec () securityfocus com
> Subject: Re: one-time password (OTP) authentication
>
> OTP and other forms of "strong" authentication (time based key fobs,  
> USB tokens, smart cards, certificates, etc) are all subject to MITM  
> attacks as the token can be re-used for another unauthorized  
> transaction within the validity window.
>
> If the user gets a dialog that looks reasonable and says "yep, allow  
> the cert to be used" or "yep, allow the USB token to issue a code",  
> the attacker still has a valid token which they can use if they have  
> the browser wired up or trojaned. Plus they have a user interface  
> which could be copied (think XUL or XAML or the Apple "please type  
> the admin password" dialog).
>
> The only way around this is transaction signing where the user keys  
> in something (say the transaction ID or balance or something) and  
> that changes the OTP output making it relevant to only the  
> application which needs that output.
>
> I like the transaction signing token to be completely 
> separate to the  
> client machine as we can't trust the client machine. Not only is the  
> client machine under the control of a user (who may or may 
> not be our  
> friend), there's spyware and other rubbish on there which compromise  
> the trust base.
>
> Connecting tokens via Irda, USB or bluetooth may seem like a cool  
> idea, but honestly, it reduces the security of the solution in my  
> opinion. Plus anything with local drivers is a support nightmare.
>
> Andrew