Re: Digipass Go3 Token Dumper (at least for 2006)
On Sun, 12 Nov 2006, fcollyer@xxxxxxxxx wrote:
> The initial reverse engineering of Vasco?s Digipass Go3 algorithm follows in
> C++.
> I think this implementation is a "rough" approximation, if we take some
> limitations about 2006 and the calculations made into account. Or I'm just
> joking? :)
>
> This generator was able to predict an "otp" collision, within ~10 days range.
> I publish this here, for further study/analysis by the community. The dumper
> part is something off a mess, used in a needed/just in time basis. Hack it
> around.
> (the names are based in the meta-info used inside Vasco's dpx files; [TARGET]
> is an otp used to synchronize with a token device)
>
> The 3 secrets' derivation is 3DES 112 based, and real ".dpx" files were used
> with success.
> The core is also 3DES 112 based, as a hash/generator.
>
> I have strong evidences (opcodes) to believe that Vasco's used openssl
> library, without proper acknowledgment. Who knows?
> As DES is free, I guess the patents holded by the company protect only the
> synchronization side of digipass. Just a theory (I'm lazy, tired, and didn't
> research).
>
> A brute-force approach was used instead, because I believe in law.
> (I hope law also believes me!)
Below is the formal response we received from Vasco after I asked for a
clarification:
------8<------
VASCO.s statement regarding reverse engineering of Digipass GO-3
Background
On November 12, a message [1] regarding reverse engineering of VASCO.s
Digipass GO-3 strong authentication product was sent to the Bugtraq
security mailing list. Firstly, the message presented the algorithm used
by Digipass GO-3 to compute one-time passwords. Secondly, the message
provided the source code of a software programme that allows finding the
one-time password coming next in time to a one-time password generated by
a Digipass GO3 token, assuming that the cryptographic keys embedded in the
Digipass GO-3 token being considered are known.
Next to this, another message [2] on the SecurityFocus website claimed
that the Digipass algorithm implemented by Digipass GO-3 uses an
encryption algorithm with a short key length. This key length would allow
adversaries to successfully perform a brute force attack and recover the
cryptographic key used to compute one-time passwords.
VASCO.s statement
1) Statement regarding reverse engineering of Digipass GO-3
The security of VASCO.s Digipass GO-3 and all its strong authentication
products does not rely on the secrecy of the Digipass algorithms at all.
The security of VASCO.s strong authentication products only relies on the
secrecy of the cryptographic keys involved. This principle, widely known
as Kerckhoff.s principle, is respected and adhered to by VASCO. For this
reason, reverse engineering of VASCO.s Digipass algorithms is by no means
a security threat to VASCO.s strong authentication products. On the
contrary, VASCO.s Digipass algorithms are available to its customers,
allowing them to subject the Digipass algorithms to their own scrutiny.
The author of the Bugtraq message also states that the cryptographic keys
are needed in order to compute one-time passwords.
2) Statement regarding the encryption algorithms implemented in
Digipass GO-3
All VASCO.s strong authentication products, including Digipass GO-3, use
only standardized cryptographic algorithms that have been subjected to
public scrutiny by experts. These cryptographic algorithms include DES,
3DES and AES. VASCO always recommends it customers to use the strongest
algorithm, if possible. Today, the strongest algorithms are 3DES and AES.
These algorithms are supported by Digipass GO-3.
Some customers, however, require the usage of an older algorithm such as
DES for reasons that are out of VASCO.s control, such as backwards
compatibility with legacy applications. VASCO.s technology has been used
for more than 15 years indeed. In order to augment the security-level for
customers that want to use DES, VASCO has always used and still uses an
additional secret that increases the length of the secret from 56 bits
(the length of a DES-key) to 80 bits. In this way, VASCO effectively
thwarts brute force attacks.
Conclusion
The security of VASCO.s strong authentication products relies on the
secrecy of the cryptographic keys only. Therefore, reverse engineering
does not pose a security threat to VASCO.s products. On the contrary, it
illustrates VASCO.s adherence to well-established design principles.
Moreover, VASCO only uses standardized cryptographic algorithms that
withstand brute force attacks and recommends using the strongest
algorithms such as 3DES and AES.
References
[1] http://seclists.org/bugtraq/2006/Nov/0189.html
[2] http://www.securityfocus.com/bid/21040
------8<------
Regards,
Hugo.
--
hvdkooij@xxxxxxxxxxxxxxx http://hvdkooij.xs4all.nl/
This message is using 100% recycled electrons.