Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Digipass Go3 Token Dumper (at least for 2006)

from [Hugo van der Kooij] Network Security [Permanent Link]
Subject: Re: Digipass Go3 Token Dumper (at least for 2006)
Date: Fri, 24 Nov 2006 11:17:06 +0100 (CET) 
On Sun, 12 Nov 2006, fcollyer@gmail.com wrote:


The initial reverse engineering of Vasco?s Digipass Go3 algorithm follows in 
C++.
I think this implementation is a "rough" approximation, if we take some 
limitations about 2006 and the calculations made into account. Or I'm just 
joking? :)

This generator was able to predict an "otp" collision, within ~10 days range.
I publish this here, for further study/analysis by the community. The dumper 
part is something off a mess, used in a needed/just in time basis. Hack it 
around.
(the names are based in the meta-info used inside Vasco's dpx files; [TARGET] 
is an otp used to synchronize with a token device)

The 3 secrets' derivation is 3DES 112 based, and real ".dpx" files were used 
with success.
The core is also 3DES 112 based, as a hash/generator.

I have strong evidences (opcodes) to believe that Vasco's used openssl 
library, without proper acknowledgment. Who knows?
As DES is free, I guess the patents holded by the company protect only the 
synchronization side of digipass. Just a theory (I'm lazy, tired, and didn't 
research).

A brute-force approach was used instead, because I believe in law.
(I hope law also believes me!)


Below is the formal response we received from Vasco after I asked for a 
clarification:

        ------8<------

VASCO.s statement regarding reverse engineering of Digipass GO-3

Background

On November 12, a message [1] regarding reverse engineering of VASCO.s 
Digipass GO-3 strong authentication product was sent to the Bugtraq 
security mailing list. Firstly, the message presented the algorithm used 
by Digipass GO-3 to compute one-time passwords. Secondly, the message 
provided the source code of a software programme that allows finding the 
one-time password coming next in time to a one-time password generated by 
a Digipass GO3 token, assuming that the cryptographic keys embedded in the 
Digipass GO-3 token being considered are known.

Next to this, another message [2] on the SecurityFocus website claimed 
that the Digipass algorithm implemented by Digipass GO-3 uses an 
encryption algorithm with a short key length. This key length would allow 
adversaries to successfully perform a brute force attack and recover the 
cryptographic key used to compute one-time passwords.

VASCO.s statement

1)      Statement regarding reverse engineering of Digipass GO-3

The security of VASCO.s Digipass GO-3 and all its strong authentication 
products does not rely on the secrecy of the Digipass algorithms at all. 
The security of VASCO.s strong authentication products only relies on the 
secrecy of the cryptographic keys involved. This principle, widely known 
as Kerckhoff.s principle, is respected and adhered to by VASCO. For this 
reason, reverse engineering of VASCO.s Digipass algorithms is by no means 
a security threat to VASCO.s strong authentication products. On the 
contrary, VASCO.s Digipass algorithms are available to its customers, 
allowing them to subject the Digipass algorithms to their own scrutiny. 
The author of the Bugtraq message also states that the cryptographic keys 
are needed in order to compute one-time passwords.

2)      Statement regarding the encryption algorithms implemented in 
Digipass GO-3

All VASCO.s strong authentication products, including Digipass GO-3, use 
only standardized cryptographic algorithms that have been subjected to 
public scrutiny by experts. These cryptographic algorithms include DES, 
3DES and AES. VASCO always recommends it customers to use the strongest 
algorithm, if possible. Today, the strongest algorithms are 3DES and AES. 
These algorithms are supported by Digipass GO-3.

Some customers, however, require the usage of an older algorithm such as 
DES for reasons that are out of VASCO.s control, such as backwards 
compatibility with legacy applications. VASCO.s technology has been used 
for more than 15 years indeed. In order to augment the security-level for 
customers that want to use DES, VASCO has always used and still uses an 
additional secret that increases the length of the secret from 56 bits 
(the length of a DES-key) to 80 bits. In this way, VASCO effectively 
thwarts brute force attacks.

Conclusion

The security of VASCO.s strong authentication products relies on the 
secrecy of the cryptographic keys only. Therefore, reverse engineering 
does not pose a security threat to VASCO.s products. On the contrary, it 
illustrates VASCO.s adherence to well-established design principles. 
Moreover, VASCO only uses standardized cryptographic algorithms that 
withstand brute force attacks and recommends using the strongest 
algorithms such as 3DES and AES.

References
[1] http://seclists.org/bugtraq/2006/Nov/0189.html
[2] http://www.securityfocus.com/bid/21040

        ------8<------

Regards,
Hugo.

-- 
        hvdkooij@vanderkooij.org        http://hvdkooij.xs4all.nl/
            This message is using 100% recycled electrons.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] [ GLSA 200611-19 ] ImageMagick: PALM and DCM buffer overflows, Sune Kloppenborg Jeppesen
Next by Date:  [Full-disclosure] [ GLSA 200611-20 ] GNU gv: Stack overflow, Sune Kloppenborg Jeppesen
Previous by Thread:  Digipass Go3 Token Dumper (at least for 2006), fcollyer
Next by Thread:  Re: Re: Digipass Go3 Token Dumper (at least for 2006), fcollyer
Indexes:  [Date] [Thread] [Top] [All Lists]