Hi Andrew
OTP and other forms of "strong" authentication (time based key fobs,
USB tokens, smart cards, certificates, etc) are all subject to MITM
attacks as the token can be re-used for another unauthorized
transaction within the validity window.
I disagree with your statement that they are all subject to the same kind of
MITM attacks "by nature".
Especially asymmetric challenge response protocols that involve random
numbers generated on both sides and other cryptographical components on the
protocol level are not subject to MITM themselves. One example are SSL client
certificate authentications but there are also others. The token itself
cannot be replayed and the attacker cannot derive the secret information he
would have to know because it is part of the SSL protocol to initiate a
secure session based on a symmetric key that is derived from the asymmetric
token exchange. It is not like capturing a SecurID number with a one or two
minute time frame.
Of course, compromising the client by manipulating the browser's SSL stack or
by having a user who clicks away certificate warnings etc. would still
present a possible way to attack such a type of authentication scheme. And
the protection of private keys etc. is crucial. However, that is not MITM...
It think it's very important to distinguish different types of strong
authentication when discussing their weaknesses. There are at least the
following different categories:
- OTP without session binding
- OTP with session binding
- Asymmetric challenge response protocols
(not just asymmetric data exchange)
Don't get me wrong, all of these schemes have their potential weaknesses,
especially when the client side gets fully compromised. But they are not just
all vulnerable to the same MITM attack procedure. The different types require
different manipulations to be successfully compromised by an attacker.
Best regards
Cyrill Osterwalder
-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj@greebo.net]
Sent: Sonntag, 19. Juni 2005 15:23
To: webappsec@securityfocus.com
Subject: Re: one-time password (OTP) authentication
OTP and other forms of "strong" authentication (time based key fobs,
USB tokens, smart cards, certificates, etc) are all subject to MITM
attacks as the token can be re-used for another unauthorized
transaction within the validity window.
If the user gets a dialog that looks reasonable and says "yep, allow
the cert to be used" or "yep, allow the USB token to issue a code",
the attacker still has a valid token which they can use if they have
the browser wired up or trojaned. Plus they have a user interface
which could be copied (think XUL or XAML or the Apple "please type
the admin password" dialog).
The only way around this is transaction signing where the user keys
in something (say the transaction ID or balance or something) and
that changes the OTP output making it relevant to only the
application which needs that output.
I like the transaction signing token to be completely
separate to the
client machine as we can't trust the client machine. Not only is the
client machine under the control of a user (who may or may
not be our
friend), there's spyware and other rubbish on there which compromise
the trust base.
Connecting tokens via Irda, USB or bluetooth may seem like a cool
idea, but honestly, it reduces the security of the solution in my
opinion. Plus anything with local drivers is a support nightmare.
Andrew
