| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Nov 2006 11:17:06 +0100 (CET) From: Hugo van der Kooij <hvdkooij@...derkooij.org> To: Bugtraq mailinglist <bugtraq@...urityfocus.com> Subject: Re: Digipass Go3 Token Dumper (at least for 2006) On Sun, 12 Nov 2006, fcollyer@...il.com wrote: > The initial reverse engineering of Vascos Digipass Go3 algorithm follows in C++. > I think this implementation is a "rough" approximation, if we take some limitations about 2006 and the calculations made into account. Or I'm just joking :) > > This generator was able to predict an "otp" collision, within ~10 days range. > I publish this here, for further study/analysis by the community. The dumper part is something off a mess, used in a needed/just in time basis. Hack it around. > (the names are based in the meta-info used inside Vasco's dpx files; [TARGET] is an otp used to synchronize with a token device) > > The 3 secrets' derivation is 3DES 112 based, and real ".dpx" files were used with success. > The core is also 3DES 112 based, as a hash/generator. > > I have strong evidences (opcodes) to believe that Vasco's used openssl library, without proper acknowledgment. Who knows? > As DES is free, I guess the patents holded by the company protect only the synchronization side of digipass. Just a theory (I'm lazy, tired, and didn't research). > > A brute-force approach was used instead, because I believe in law. > (I hope law also believes me!) Below is the formal response we received from Vasco after I asked for a clarification: ------8<------ VASCO.s statement regarding reverse engineering of Digipass GO-3 Background On November 12, a message [1] regarding reverse engineering of VASCO.s Digipass GO-3 strong authentication product was sent to the Bugtraq security mailing list. Firstly, the message presented the algorithm used by Digipass GO-3 to compute one-time passwords. Secondly, the message provided the source code of a software programme that allows finding the one-time password coming next in time to a one-time password generated by a Digipass GO3 token, assuming that the cryptographic keys embedded in the Digipass GO-3 token being considered are known. Next to this, another message [2] on the SecurityFocus website claimed that the Digipass algorithm implemented by Digipass GO-3 uses an encryption algorithm with a short key length. This key length would allow adversaries to successfully perform a brute force attack and recover the cryptographic key used to compute one-time passwords. VASCO.s statement 1) Statement regarding reverse engineering of Digipass GO-3 The security of VASCO.s Digipass GO-3 and all its strong authentication products does not rely on the secrecy of the Digipass algorithms at all. The security of VASCO.s strong authentication products only relies on the secrecy of the cryptographic keys involved. This principle, widely known as Kerckhoff.s principle, is respected and adhered to by VASCO. For this reason, reverse engineering of VASCO.s Digipass algorithms is by no means a security threat to VASCO.s strong authentication products. On the contrary, VASCO.s Digipass algorithms are available to its customers, allowing them to subject the Digipass algorithms to their own scrutiny. The author of the Bugtraq message also states that the cryptographic keys are needed in order to compute one-time passwords. 2) Statement regarding the encryption algorithms implemented in Digipass GO-3 All VASCO.s strong authentication products, including Digipass GO-3, use only standardized cryptographic algorithms that have been subjected to public scrutiny by experts. These cryptographic algorithms include DES, 3DES and AES. VASCO always recommends it customers to use the strongest algorithm, if possible. Today, the strongest algorithms are 3DES and AES. These algorithms are supported by Digipass GO-3. Some customers, however, require the usage of an older algorithm such as DES for reasons that are out of VASCO.s control, such as backwards compatibility with legacy applications. VASCO.s technology has been used for more than 15 years indeed. In order to augment the security-level for customers that want to use DES, VASCO has always used and still uses an additional secret that increases the length of the secret from 56 bits (the length of a DES-key) to 80 bits. In this way, VASCO effectively thwarts brute force attacks. Conclusion The security of VASCO.s strong authentication products relies on the secrecy of the cryptographic keys only. Therefore, reverse engineering does not pose a security threat to VASCO.s products. On the contrary, it illustrates VASCO.s adherence to well-established design principles. Moreover, VASCO only uses standardized cryptographic algorithms that withstand brute force attacks and recommends using the strongest algorithms such as 3DES and AES. References [1] http://seclists.org/bugtraq/2006/Nov/0189.html [2] http://www.securityfocus.com/bid/21040 ------8<------ Regards, Hugo. -- hvdkooij@...derkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons.
Powered by blists - more mailing lists