Google Authenticator, possible attacks and prevention

8,041 views

Published on

This presentation describes Google's Time Based One Time Password authentication scheme and its practical implementation Google Authenticator. It also presents possible attacks and their prevention.

Published in: Technology

Google Authenticator, possible attacks and prevention

  1. 1. TOTP Possible attacks Conclusions ReferencesGoogle TOTP Two Factor Authentication Boˇtjan Cigan s 29. Januar 2013 Boˇtjan Cigan s Google TOTP Two Factor Authentication
  2. 2. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesTOTP TOTP - Time-Based One-Time Password algorithm. described in RFC 6238, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  3. 3. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesTOTP TOTP - Time-Based One-Time Password algorithm. described in RFC 6238, also uses RFC 4226 as a basis: HOTP(K, C) = Truncate(HMAC-SHA-1(K, C)) Boˇtjan Cigan s Google TOTP Two Factor Authentication
  4. 4. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesTOTP TOTP - Time-Based One-Time Password algorithm. described in RFC 6238, also uses RFC 4226 as a basis: HOTP(K, C) = Truncate(HMAC-SHA-1(K, C)) Truncate is a function that can convert HMAC-SHA-1 into HOTP (HMAC-based One-Time password). K is the shared secret, C is the counter value (RFC 4226). In TOTP C is replaced by T (a time based value). Boˇtjan Cigan s Google TOTP Two Factor Authentication
  5. 5. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesTOTP TOTP is defined as: TOTP = HOTP(K, T) Boˇtjan Cigan s Google TOTP Two Factor Authentication
  6. 6. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesTOTP TOTP is defined as: TOTP = HOTP(K, T) where T is defined as: T = (Current UNIX Time - T0 ) / X Boˇtjan Cigan s Google TOTP Two Factor Authentication
  7. 7. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesTOTP TOTP is defined as: TOTP = HOTP(K, T) where T is defined as: T = (Current UNIX Time - T0 ) / X where X is the time step (usually 30 seconds) and T0 the initial time. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  8. 8. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesPractical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), Boˇtjan Cigan s Google TOTP Two Factor Authentication
  9. 9. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesPractical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), 2 create a QR code, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  10. 10. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesPractical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), 2 create a QR code, 3 scan the QR code using the Google Authenticator application, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  11. 11. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesPractical implementation Google Authenticator is an open source practical implementation of TOTP. How it works: 1 generate the secret (minimum is 16 characters length), 2 create a QR code, 3 scan the QR code using the Google Authenticator application, 4 use the password to login. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  12. 12. TOTP Possible attacks TOTP basics Conclusions Practical implementation ReferencesGoogle Authenticator on Android Boˇtjan Cigan s Google TOTP Two Factor Authentication
  13. 13. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingPossible attacks Attacks are only possible, if incorrectly implemented. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  14. 14. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingPossible attacks Attacks are only possible, if incorrectly implemented. replay attack, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  15. 15. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingPossible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  16. 16. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingPossible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, (trivial) “phone stealing” attack, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  17. 17. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingPossible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, (trivial) “phone stealing” attack, QR code stealing Boˇtjan Cigan s Google TOTP Two Factor Authentication
  18. 18. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingPossible attacks Attacks are only possible, if incorrectly implemented. replay attack, brute force attack, (trivial) “phone stealing” attack, QR code stealing To show the first two attacks, lets use Wordpress (a commonly used content management system) and expand the login security with the Google Authenticator plugin. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  19. 19. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingReplay attack Prerequisites: A countermeasure is not implemented (unique session keys, making a key invalid in the timeframe after using it). Boˇtjan Cigan s Google TOTP Two Factor Authentication
  20. 20. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingReplay attack Prerequisites: A countermeasure is not implemented (unique session keys, making a key invalid in the timeframe after using it). using Wireshark, looking for POST requests, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  21. 21. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingReplay attack Prerequisites: A countermeasure is not implemented (unique session keys, making a key invalid in the timeframe after using it). using Wireshark, looking for POST requests, we can expose the username, password and the google authenticator code Boˇtjan Cigan s Google TOTP Two Factor Authentication
  22. 22. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingBrute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). Boˇtjan Cigan s Google TOTP Two Factor Authentication
  23. 23. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingBrute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). possible combinations of codes range between 000000 and 999999, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  24. 24. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingBrute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). possible combinations of codes range between 000000 and 999999, so in theory we have to send 1.000.000 requests in a timeframe of 30 seconds, assuming that we started from 0 seconds, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  25. 25. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingBrute force attack Prerequisites: A countermeasure is not implemented (limit number of login attempts, lock IPs etc.). possible combinations of codes range between 000000 and 999999, so in theory we have to send 1.000.000 requests in a timeframe of 30 seconds, assuming that we started from 0 seconds, because Wordpress itself does not limit the number of login attempts, this attack is possible. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  26. 26. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingBrute force attack A simple script running on multiple servers would theoretically suffice (the following is implemented in Python): Boˇtjan Cigan s Google TOTP Two Factor Authentication
  27. 27. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing“Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  28. 28. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing“Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases Boˇtjan Cigan s Google TOTP Two Factor Authentication
  29. 29. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing“Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases 2 sqlite3 ./databases Boˇtjan Cigan s Google TOTP Two Factor Authentication
  30. 30. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing“Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases 2 sqlite3 ./databases 3 select * from accounts Boˇtjan Cigan s Google TOTP Two Factor Authentication
  31. 31. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealing“Phone stealing” attack It may be trivial, but the keys that are used to generate the codes, are stored in plain text on the phone itself. With root access we can extract the database using the tool adbd Insecure. 1 adb pull /data/data/com.google.android.apps.authenticator2/databases/databases 2 sqlite3 ./databases 3 select * from accounts The third column contains the secret we need. 1|test@gmail.com|HBGZ5SYGSVR3GBWO|0|0|0 Boˇtjan Cigan s Google TOTP Two Factor Authentication
  32. 32. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingQR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  33. 33. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingQR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Google Chrome and other browsers cache data in a predefined folder. For Chrome checking the cache is easy: 1 type in the URL chrome://cache, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  34. 34. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingQR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Google Chrome and other browsers cache data in a predefined folder. For Chrome checking the cache is easy: 1 type in the URL chrome://cache, 2 from here search for the string chart?cht=qr, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  35. 35. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingQR code stealing Prerequisites: The attacker can access the computer where the user scanned his original QR from, the browsers cache was not cleared. Google Chrome and other browsers cache data in a predefined folder. For Chrome checking the cache is easy: 1 type in the URL chrome://cache, 2 from here search for the string chart?cht=qr, 3 if successfull, we have a full QR code URL Boˇtjan Cigan s Google TOTP Two Factor Authentication
  36. 36. TOTP Replay attack Possible attacks Brute force attack Conclusions “Phone stealing” attack References QR code stealingQR code stealing A working example, the URL that was used to display the QR code is still in the cache. We can easily extract the seed (marked orange) that is used to generate TOTP tokens. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  37. 37. TOTP Possible attacks Conclusions ReferencesConclusions Google Authenticator is safe, but only if properly implemented, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  38. 38. TOTP Possible attacks Conclusions ReferencesConclusions Google Authenticator is safe, but only if properly implemented, To properly implement it, programmers must read and understand the RFC documents before beginning development, Boˇtjan Cigan s Google TOTP Two Factor Authentication
  39. 39. TOTP Possible attacks Conclusions ReferencesConclusions Google Authenticator is safe, but only if properly implemented, To properly implement it, programmers must read and understand the RFC documents before beginning development, The presented Wordpress Google Authenticator plugin enables attacks because of improper implementation (it does not comply with the rules written in the RFC document). Boˇtjan Cigan s Google TOTP Two Factor Authentication
  40. 40. TOTP Possible attacks Conclusions ReferencesConclusions Google Authenticator is safe, but only if properly implemented, To properly implement it, programmers must read and understand the RFC documents before beginning development, The presented Wordpress Google Authenticator plugin enables attacks because of improper implementation (it does not comply with the rules written in the RFC document). The full article describing the methods of attack, its implementation and methods of prevention is available at http://zerocool.is-a-geek.net/?p=842. Boˇtjan Cigan s Google TOTP Two Factor Authentication
  41. 41. TOTP Possible attacks Conclusions ReferencesReferences Online: 1 Google TOTP Two Factor authentication 2 RFC 4226 3 RFC 6238 4 Stealing Google Authenticator credentials Boˇtjan Cigan s Google TOTP Two Factor Authentication

×