[16340] in bugtraq
Re: swc / ActivCard
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Tue Aug 22 00:47:37 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0008212230580.7495-100000@dione.ids.pl>
Date: Mon, 21 Aug 2000 22:52:39 +0200
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Alan DeKok <aland@STRIKER.OTTAWA.ON.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200008211723.NAA15987@cpu1751.adsl.bellglobal.com>
// Please, Aleph, approve this post, I believe it's quite
// important to explain and summarize some facts :)
On Mon, 21 Aug 2000, Alan DeKok wrote:
> The first two digits of the password are trivially derived from
> highly predictable counters, which explains why they're so regular.
> It does not, however, explain why the the *rest* of the digits are so
> predictable [...]
To make everything clear - as I noticed, I just wanted to start a
discussion and futher investigation of this ActivCard One synchronous
token issue. None of my statements cannot be threated as true without
checking it independently (what I saild clearly, as well, because I was
using only a few sources of input data for my analysis and it's quite
possible I've made bad assumptions somewhere). Sadly, some people (both
from ActivCard representatives and not related to this company), didn't
understand the nature of my post - and I guess it can be only a bad will,
because I stated it clearly, _twice_.
It's really bad, both to us and ActivCard, to spread FUD. So, it's time to
state the facts:
- we agreed that in 8-digit display, 2 first digits are highly
predictable, partially exposing some bits from internal counters
(I'm not sure what for). There numbers are almost 100% predictable;
as a result, we ha 10^6 combinations instead of 10^8 - which sounds
better for crackers,
- in my set of information (the one I included in my post and for which
I have some troubles - but that's other issue), by dumping binary
image of these values, I found several uncommon conditions, like
alarmingly long sequences of even values (lowest bit set to zero),
some bit sequences appearing eg. with 75% probability where I should
expect something around 7-8% and so on. This lead me to perform
attempts to guess next values with good precision within reasonable
amount of tries. No, I didn't wrote magic program than can predict
next value returned by any token with 100%, but I feel alarmed by
my observations, and that's why I posted this strictly informal
call-for-discussion. Within it, I repeated several times these
observations might be not objective and MUST be verified; in some
subsequences of this input set, I reached probability of several
promiles, which actually isn't bad - especially because it's nothing
hard for computer to perform eg. 1000 attempts, which makes this
probability much higher.
It's bad to debate about algorithm (or, better: implementation) weakness
when in doubt. Unfortunately, we have no way to really discover the way
this token uses to expose / hash it's internal state but by observation. I
guess ActivCard users can easily verify my observations or try to perform
more detailed analysis of information supplied by me or obtained on their
own. Someone with good (better than mine) practical knowledge of
cryptoanalysis and discrete systems' predictability should spent some time
with it, for sure.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
-- Support your government, give Echelon / Carnivore something to parse --
classfield top-secret government restricted data information project CIA
KGB GRU DISA DoD defense systems military systems spy steal terrorist
Allah Natasha Gregori destroy destruct attack democracy will send Russia
bank system compromise international own rule the world ATSC RTEM warmod
ATMD force power enforce sensitive directorate TSP NSTD ORD DD2-N AMTAS
STRAP warrior-T presidental elections policital foreign embassy takeover
--------------------------------------------------------------------------
