Re: swc / ActivCard

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

// Please, Aleph, approve this post, I believe it's quite
// important to explain and summarize some facts :)

On Mon, 21 Aug 2000, Alan DeKok wrote:

> The first two digits of the password are trivially derived from
> highly predictable counters, which explains why they're so regular.
> It does not, however, explain why the the *rest* of the digits are so
> predictable [...]

To make everything clear - as I noticed, I just wanted to start a
discussion and futher investigation of this ActivCard One synchronous
token issue. None of my statements cannot be threated as true without
checking it independently (what I saild clearly, as well, because I was
using only a few sources of input data for my analysis and it's quite
possible I've made bad assumptions somewhere). Sadly, some people (both
from ActivCard representatives and not related to this company), didn't
understand the nature of my post - and I guess it can be only a bad will,
because I stated it clearly, _twice_.

It's really bad, both to us and ActivCard, to spread FUD. So, it's time to
state the facts:

- we agreed that in 8-digit display, 2 first digits are highly
  predictable, partially exposing some bits from internal counters
  (I'm not sure what for). There numbers are almost 100% predictable;
  as a result, we ha 10^6 combinations instead of 10^8 - which sounds
  better for crackers,

- in my set of information (the one I included in my post and for which
  I have some troubles - but that's other issue), by dumping binary
  image of these values, I found several uncommon conditions, like
  alarmingly long sequences of even values (lowest bit set to zero),
  some bit sequences appearing eg. with 75% probability where I should
  expect something around 7-8% and so on. This lead me to perform
  attempts to guess next values with good precision within reasonable
  amount of tries. No, I didn't wrote magic program than can predict
  next value returned by any token with 100%, but I feel alarmed by
  my observations, and that's why I posted this strictly informal
  call-for-discussion. Within it, I repeated several times these
  observations might be not objective and MUST be verified; in some
  subsequences of this input set, I reached probability of several
  promiles, which actually isn't bad - especially because it's nothing
  hard for computer to perform eg. 1000 attempts, which makes this
  probability much higher.

It's bad to debate about algorithm (or, better: implementation) weakness
when in doubt. Unfortunately, we have no way to really discover the way
this token uses to expose / hash it's internal state but by observation. I
guess ActivCard users can easily verify my observations or try to perform
more detailed analysis of information supplied by me or obtained on their
own. Someone with good (better than mine) practical knowledge of
cryptoanalysis and discrete systems' predictability should spent some time
with it, for sure.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

-- Support your government, give Echelon / Carnivore something to parse --
classfield  top-secret government  restricted data information project CIA
KGB GRU DISA  DoD  defense  systems  military  systems spy steal terrorist
Allah Natasha  Gregori destroy destruct attack  democracy will send Russia
bank system compromise international  own  rule the world ATSC RTEM warmod
ATMD force power enforce  sensitive  directorate  TSP NSTD ORD DD2-N AMTAS
STRAP warrior-T presidental  elections  policital foreign embassy takeover
--------------------------------------------------------------------------