Re: Digipass Go3 Token Dumper (at least for 2006)

To: Bugtraq mailinglist <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: Digipass Go3 Token Dumper (at least for 2006)
From: Hugo van der Kooij <hvdkooij@xxxxxxxxxxxxxxx>
Date: Fri, 24 Nov 2006 11:17:06 +0100 (CET)
In-reply-to: <20061112044157.6599.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20061112044157.6599.qmail@xxxxxxxxxxxxxxxxx>
Reply-to: Bugtraq mailinglist <bugtraq@xxxxxxxxxxxxxxxxx>

On Sun, 12 Nov 2006, fcollyer@xxxxxxxxx wrote:

> The initial reverse engineering of Vasco?s Digipass Go3 algorithm follows in 
> C++.
> I think this implementation is a "rough" approximation, if we take some 
> limitations about 2006 and the calculations made into account. Or I'm just 
> joking? :)
> 
> This generator was able to predict an "otp" collision, within ~10 days range.
> I publish this here, for further study/analysis by the community. The dumper 
> part is something off a mess, used in a needed/just in time basis. Hack it 
> around.
> (the names are based in the meta-info used inside Vasco's dpx files; [TARGET] 
> is an otp used to synchronize with a token device)
> 
> The 3 secrets' derivation is 3DES 112 based, and real ".dpx" files were used 
> with success.
> The core is also 3DES 112 based, as a hash/generator.
> 
> I have strong evidences (opcodes) to believe that Vasco's used openssl 
> library, without proper acknowledgment. Who knows?
> As DES is free, I guess the patents holded by the company protect only the 
> synchronization side of digipass. Just a theory (I'm lazy, tired, and didn't 
> research).
> 
> A brute-force approach was used instead, because I believe in law.
> (I hope law also believes me!)

Below is the formal response we received from Vasco after I asked for a 
clarification:

        ------8<------

VASCO.s statement regarding reverse engineering of Digipass GO-3

Background

On November 12, a message [1] regarding reverse engineering of VASCO.s 
Digipass GO-3 strong authentication product was sent to the Bugtraq 
security mailing list. Firstly, the message presented the algorithm used 
by Digipass GO-3 to compute one-time passwords. Secondly, the message 
provided the source code of a software programme that allows finding the 
one-time password coming next in time to a one-time password generated by 
a Digipass GO3 token, assuming that the cryptographic keys embedded in the 
Digipass GO-3 token being considered are known.

Next to this, another message [2] on the SecurityFocus website claimed 
that the Digipass algorithm implemented by Digipass GO-3 uses an 
encryption algorithm with a short key length. This key length would allow 
adversaries to successfully perform a brute force attack and recover the 
cryptographic key used to compute one-time passwords.

VASCO.s statement

1)      Statement regarding reverse engineering of Digipass GO-3

The security of VASCO.s Digipass GO-3 and all its strong authentication 
products does not rely on the secrecy of the Digipass algorithms at all. 
The security of VASCO.s strong authentication products only relies on the 
secrecy of the cryptographic keys involved. This principle, widely known 
as Kerckhoff.s principle, is respected and adhered to by VASCO. For this 
reason, reverse engineering of VASCO.s Digipass algorithms is by no means 
a security threat to VASCO.s strong authentication products. On the 
contrary, VASCO.s Digipass algorithms are available to its customers, 
allowing them to subject the Digipass algorithms to their own scrutiny. 
The author of the Bugtraq message also states that the cryptographic keys 
are needed in order to compute one-time passwords.

2)      Statement regarding the encryption algorithms implemented in 
Digipass GO-3

All VASCO.s strong authentication products, including Digipass GO-3, use 
only standardized cryptographic algorithms that have been subjected to 
public scrutiny by experts. These cryptographic algorithms include DES, 
3DES and AES. VASCO always recommends it customers to use the strongest 
algorithm, if possible. Today, the strongest algorithms are 3DES and AES. 
These algorithms are supported by Digipass GO-3.

Some customers, however, require the usage of an older algorithm such as 
DES for reasons that are out of VASCO.s control, such as backwards 
compatibility with legacy applications. VASCO.s technology has been used 
for more than 15 years indeed. In order to augment the security-level for 
customers that want to use DES, VASCO has always used and still uses an 
additional secret that increases the length of the secret from 56 bits 
(the length of a DES-key) to 80 bits. In this way, VASCO effectively 
thwarts brute force attacks.

Conclusion

The security of VASCO.s strong authentication products relies on the 
secrecy of the cryptographic keys only. Therefore, reverse engineering 
does not pose a security threat to VASCO.s products. On the contrary, it 
illustrates VASCO.s adherence to well-established design principles. 
Moreover, VASCO only uses standardized cryptographic algorithms that 
withstand brute force attacks and recommends using the strongest 
algorithms such as 3DES and AES.

References
[1] http://seclists.org/bugtraq/2006/Nov/0189.html
[2] http://www.securityfocus.com/bid/21040

        ------8<------

Regards,
Hugo.

-- 
        hvdkooij@xxxxxxxxxxxxxxx        http://hvdkooij.xs4all.nl/
            This message is using 100% recycled electrons.

References:
- Digipass Go3 Token Dumper (at least for 2006)
  - From: fcollyer

Prev by Date: [Aria-Security Team] iNews News Manager SQL Injection
Next by Date: [ GLSA 200611-19 ] ImageMagick: PALM and DCM buffer overflows
Previous by thread: Digipass Go3 Token Dumper (at least for 2006)
Next by thread: Re: Re: Digipass Go3 Token Dumper (at least for 2006)
Index(es):
- Date
- Thread