COMMAND

    Secure Computing e.iD Authenticator for Palm 2.0

SYSTEMS AFFECTED

    PalmOS 3.3, 3.5.2

PROBLEM

    An attacker that obtains access to the "sceiddb.pdb" file, part of
    Secure Computing's e.iD Authenticator for Palm, can determine  the
    user's PIN.  This vulnerability was disclose by @Stake, Inc.

    Secure Computing's SafeWord is a system of authentication services
    that  supports   among  other   authentication  methods   one-time
    password.    The  one-time   passwords  are   generated  by    the
    authenticating user via a  hardware or software token  device from
    the users PIN number and a Token Key stored in the device.  During
    authentication, a user-generated one-time password, or  tokencode,
    is sent to the authentication server and the user is authenticated
    if the tokencode was generated from a valid PIN and Token Key.  In
    this  sort  of  authentication  system,  the security of the shard
    secret (the user's PIN) is critical.

    Secure Computing's e.iD Authenticator for Palm is a software token
    device for the SafeWord system  that runs on the Palm  Pilot. e.iD
    Authenticator  for  Palm  uses  a  palm database (PDB) file called
    "sceiddb.pdb" containing  an encrypted  version of  the user's PIN
    as well as the Token Key.

    The encrypted  version of  the user's  PIN is  used when  the user
    attempts to change  his PIN.   Before the PIN  can be changed  the
    user must enter their current  PIN.  The entered PIN  is encrypted
    and  compared  to  the  encrypted  PIN.   If  they don't match the
    device will display a warning and refuse to change the PIN.

    PINs are  from 2  to 8  digits in  length.   The encrypted  PIN is
    always 16 bytes.  The  encrypted PIN is found starting  at address
    0x7A to address 0x89 in the "sceiddb.pdb" file.

    As Palm Pilot and  related devices are considered  general purpose
    platforms and are not tamper-resistant devices there exist  likely
    scenarios  in  which  an  attacker   may  obtain  access  to   the
    "sceiddb.pdb" file.

    An attacker with access to  the "sceiddb.pdb" file can obtain  the
    user's PIN by encrypting every possible 8 digit PINs and comparing
    them with the encrypted PIN in the "sceiddb.pdb" file.

    @Stake has calculated the time required to obtain different length
    PIN numbers using a Pentium III 450MHz:

        PIN Length      Time to calculate PIN
        
            2               0.023 seconds
            3               0.23 seconds
            4               2.3 seconds
            5               23.3 seconds
            6               3.8 minutes
            7               38.8 minutes
            8               6.48 hours

    Once a  user's PIN  has been  obtained an  attacker can generate a
    valid tokencode if he can determine the most recent tokencode used
    by the user to authenticate to the SafeWord system.

    There are a number of likely scenarios that can allow an  attacker
    to obtain access to the "sceiddb.pdb" file.
    * If an attacker obtains access  to the user's Palm device he  can
      copy via  IrDA (infrared),  or "beam",  the "sceiddb.pdb"  file.
      By default this  file does not  have the "Beam  Lock" protection
      bit set.   This bit tells  the PalmOS not  to allow the  beaming
      of  the  file.   But  the  "Beam  Lock" protection can be easily
      disabled.
    * If an  attacker obtains access  to a computer  the user uses  to
      HotSync or backup his Palm  device the attacker may find  a copy
      of the "sceiddb.pdb"  file. By default  this file is  configured
      not to  be backed  up. However,  some third  party utilities may
      ignore this  and back  it up,  the user  may have configured the
      file to be backed up, or  the file may be pending download  into
      the Palm device.

    The  are  also  a  number  of  likely  scenarios that can allow an
    attacker to obtain the most  recent tokencode used by the  user to
    authenticate to the SafeWord system:
    * The attacker may monitor  the network and extract the  tokencode
      from non-encrypted authentication requests (e.g. telnet).
    * The  attacker  may  obtain  access  to  the machine the user  is
      entering the tokencode in and read the keyboard output.
    * The  attacker  may  view  the  tokencode as is being  physically
      entered by the user ("shoulder surfing").

    @Stake has  made available  in source  code and  executable form a
    tool that will extract and extract via brute force the PIN  number
    from a "sceiddb.pdb" file. It can be found at:

        http://www.atstake.com/research/advisories/2000/eidextract.zip

SOLUTION

    There is no  immediate fix for  this vulnerability.   To solve the
    problem would require the removal  of the PIN change feature  from
    the  device.   Secure  Computing  believes  the added security and
    convenience of being  able to change  the PIN outweighs  the risks
    of this vulnerability.

    The are a number of mitigating strategies to minimize the risk  of
    this vulnerability:
    * Ensure  that  the  "Bean  Lock"  protection  bit  is set on  the
      "sceiddb.pdb" file. It won't  stop an attacker from  beaming the
      file but it will slow him down.
    * Ensure that  under no circumstances  the the "sceiddb.pdb"  file
      backed  up  onto  or  otherwise  stored  on  the  users  desktop
      computer.   Search  the  system  for  the  "sceiddb.pdb" file to
      double check.
    * Maintain physical control of the Palm device at all times and do
      not allow unauthorized users access to it.
    * Replace  e.iD  Authenticator  for  Palm with a tamper  resistant
      hardware device  such as  the SafeWord  Silver 2000  or SafeWord
      Platinum devices.
    * Add a "salt" to the encrypted PIN. The "salt" won't stop the PIN
      from being guessed by trying every combination but it will  stop
      a  precomputed  dictionary  attack  that  would  speed  up   the
      extraction of the PIN from the "sceiddb.pdb" file.