Google Authenticator, possible attacks and prevention

TOTPPossible attacks

ConclusionsReferences

Google TOTP Two Factor Authentication

Bostjan Cigan

29. Januar 2013

Bostjan Cigan Google TOTP Two Factor Authentication



TOTP basicsPractical implementation

TOTP

TOTP - Time-Based One-Time Password algorithm.

described in RFC 6238,

also uses RFC 4226 as a basis:

HOTP(K, C) = Truncate(HMAC-SHA-1(K, C))

Truncate is a function that can convert HMAC-SHA-1 into HOTP(HMAC-based One-Time password). K is the shared secret, C isthe counter value (RFC 4226). In TOTP C is replaced by T (atime based value).





TOTP










TOTP










TOTP

TOTP is defined as:

TOTP = HOTP(K, T)

where T is defined as:

T = (Current UNIX Time - T0) / X

where X is the time step (usually 30 seconds) and T0 the initialtime.





TOTP

TOTP is defined as:

TOTP = HOTP(K, T)








TOTP

TOTP is defined as:

TOTP = HOTP(K, T)








Practical implementation

Google Authenticator is an open source practical implementationof TOTP.

How it works:

1 generate the secret (minimum is 16 characters length),

2 create a QR code,

3 scan the QR code using the Google Authenticator application,

4 use the password to login.







How it works:


2 create a QR code,









How it works:


2 create a QR code,









How it works:


2 create a QR code,







Google Authenticator on Android




Replay attackBrute force attack“Phone stealing” attackQR code stealing

Possible attacks

Attacks are only possible, if incorrectly implemented.

replay attack,brute force attack,(trivial) “phone stealing” attack,QR code stealing

To show the first two attacks, lets use Wordpress (a commonlyused content management system) and expand the login securitywith the Google Authenticator plugin.


http://www.wordpress.org

http://wordpress.org/extend/plugins/google-authenticator/




Possible attacks


replay attack,

brute force attack,(trivial) “phone stealing” attack,QR code stealing








Possible attacks


replay attack,brute force attack,

(trivial) “phone stealing” attack,QR code stealing








Possible attacks


replay attack,brute force attack,(trivial) “phone stealing” attack,

QR code stealing








Possible attacks










Possible attacks










Replay attack

Prerequisites: A countermeasure is not implemented (uniquesession keys, making a key invalid in the timeframe after using it).

using Wireshark, looking for POST requests,we can expose the username, password and the googleauthenticator code





Replay attack


using Wireshark, looking for POST requests,

we can expose the username, password and the googleauthenticator code





Replay attack


using Wireshark, looking for POST requests,we can expose the username, password and the googleauthenticator code





Brute force attack

Prerequisites: A countermeasure is not implemented (limitnumber of login attempts, lock IPs etc.).

possible combinations of codes range between 000000 and999999,

so in theory we have to send 1.000.000 requests in atimeframe of 30 seconds, assuming that we started from 0seconds,

because Wordpress itself does not limit the number of loginattempts, this attack is possible.





Brute force attack









Brute force attack









Brute force attack









Brute force attack

A simple script running on multiple servers would theoreticallysuffice (the following is implemented in Python):





“Phone stealing” attack

It may be trivial, but the keys that are used to generate the codes,are stored in plain text on the phone itself.

With root access we can extract the database using the tool adbdInsecure.

1 adb pull

/data/data/com.google.android.apps.authenticator2/databases/databases

2 sqlite3 ./databases

3 select * from accounts

The third column contains the secret we need.1|[email protected]|HBGZ5SYGSVR3GBWO|0|0|0








1 adb pull












1 adb pull












1 adb pull












1 adb pull









QR code stealing

Prerequisites: The attacker can access the computer where theuser scanned his original QR from, the browsers cache was notcleared.

Google Chrome and other browsers cache data in a predefinedfolder. For Chrome checking the cache is easy:

1 type in the URL chrome://cache,

2 from here search for the string chart?cht=qr,

3 if successfull, we have a full QR code URL





QR code stealing










QR code stealing










QR code stealing










QR code stealing

A working example, the URL that was used to display the QR codeis still in the cache. We can easily extract the seed (markedorange) that is used to generate TOTP tokens.




Conclusions

Google Authenticator is safe, but only if properlyimplemented,

To properly implement it, programmers must read andunderstand the RFC documents before beginningdevelopment,

The presented Wordpress Google Authenticator plugin enablesattacks because of improper implementation (it does notcomply with the rules written in the RFC document).

The full article describing the methods of attack, itsimplementation and methods of prevention is available athttp://zerocool.is-a-geek.net/?p=842.


http://zerocool.is-a-geek.net/?p=842



Conclusions









Conclusions









Conclusions









References

Online:

1 Google TOTP Two Factor authentication

2 RFC 4226

3 RFC 6238

4 Stealing Google Authenticator credentials


http://www.idontplaydarts.com/2011/07/google-totp-two-factor-authentication-for-php/

http://www.ietf.org/rfc/rfc4226.txt

http://tools.ietf.org/html/rfc6238

http://www.howtogeek.com/130755/how-to-move-your-google-authenticator-credentials-to-a-new-android-phone-or-tablet/

Google Authenticator, possible attacks and prevention

Technology