Re: swc / ActivCard

[Alan DeKok <aland () STRIKER OTTAWA ON CA>]

Michal Zalewski <lcamtuf () DIONE IDS PL> wrote:
> Gosh, I never said I'll be able to gain access to someone's account. I
> just believe that numbers should be predictable with probability
> equal to 1 / number of digits' combinations, and not more. If this
> probability is thousands times smaller, it's bad. But I didn't even said
> it is

  Your original message said:

>   Even basing on our rough estimations and basic analysis, we were able
>   to guess next number with about 35% chance within 100 attempts -

  That was reasonably clear.  And *if* true, even for *one* card, it
gives cause for a *huge* degredation in the public confidence of
ActivCard tokens.

  That's pretty damning hype.

> Simply, get this data. Strip two first digits (they're almost 100%
> predictable), then:
>
> - dump their binary image
> - visualise these values on the Y axis

  That doesn't *appear* to be random to my eyes, but humans are not a
good standard for deciding randomness.

  A simple check of the 106 6-digit numbers shows that 33 are less
than 5x10^5.  For random numbers, you'd expect a number closer to 53.
I won't bother doing the math to discover the probability of 33/106
happening by chance, but I'd guess it to be somewhat low.

  That is, *if* that sequence did come from an ActivCard token.

> If you believe this gives good randomness, that can be used as completely
> unpredictable passwords, I won't agree. It's weak. Some values / sequences
> are much more possible than other. That's all!

  No, you said that you could *predict* the numbers with 35%
accuracy.  That statement is a LOT stronger than noting statistical
irregularities with the output of DES operations.  Please don't change
your story.


  Any statistical issues might be minor, as you only supplied ~100
numbers.  Maybe if we looked at 10,000 numbers, the irregularities
might go away.


  Personally, I would like you to supply *all* of the information you
used to make that 35% prediction.  That is, *all* configuration for
the ActivCard you used, (including serial number and programming
options), *all* data, *all* programs, and a description of the methods
that you used.

  Without this information, your claim of 35% was pure, unadulterated
hype, without any factual basis.


  Supplying 100 numbers and saying "Look at them!" does NOT validate
your claim about the predictability of the token output.  If there
*is* a vulnerability, then the public should know.  If you made a
mistake, and your claims are not reproducible, then you should issue a
retraction, and an apology.

> I'm not saying it affects every AC card in the world. Test it. If not, the
> case is closed. If yes, probably it's time for AC to re-design their
> algorithm.

  Assuming there is no hardware problem with your card, I find it
difficult to see how any claimed vulnerability can only affect one
card out of thousands.  They do, presumably, all run the same software
on the same hardware, with only the keys being different.


  THAT is why people are getting upset at you.  Your claim to have
invalidated the security of one card implies an attack on all of
them.  Don't pretend otherwise.

  Alan DeKok.