Posts Tagged ‘authentication protocol’

Oracle suffered with serious vulnerability in the authentication protocol used by some Oracle databases. This Flaw enables a remote attacker to brute-force a token provided by the server prior to authentication and determine a user’s password.

Martinez Fayo and his team first reported the bugs to Oracle in May 2010. Oracle fixed it in mid-2011 via the 11.2.0.3 patch set, issuing a new version of the protocol. “But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable,” Martinez Fayo says, and Oracle has no plans to fix the flaws for version 11.1.

The first step in the authentication process when a client contacts the database server is for the server to send a session key back to the client, along with a salt. The vulnerability enables an attacker to link a specific session key with a specific password hash.

There are no overt signs when an outsider has targeted the weakness, and attackers aren’t required to have “man-in-the-middle” control of a network to exploit it. “Once the attacker has a Session Key and a Salt (which is also sent by the server along with the session key), the attacker can perform a brute force attack on the session key by trying millions of passwords per second until the correct one is found. This is very similar to a SHA-1 password hash cracking. Rainbow tables can’ t be used because there is a Salt used for password hash generation, but advanced hardware can be used, like GPUs combined with advanced techniques like Dictionary hybrid attacks, which can make the cracking process much more efficient.”

I developed a proof-of-concept tool that shows that it is possible to crack an 8 characters long lower case alphabetic password in approximately 5 hours using standard CPUs.”

Because the vulnerability is in a widely deployed product and is easy to exploit, Fayo said he considers it to be quite dangerous.

 

At a cryptography gathering in Leuven, Belgium, on Tuesday, Cambridge University researchers made it known that they do not like what they see in chip and pin systems. The chip and PIN system employed by most European and Asian banks is definitely more secure than the magnetic strip one, but it doesn’t mean that it doesn’t have its flaws.

A flaw in the EMV protocol which lays out the rules for chip-and-PIN card transactions at ATMs and point-of-sale terminals could enable persistent attackers to carry out bogus card transactions. Five Cambridge (UK) University researchers released a paper today with the gory details.

Bank cards are reportedly vulnerable to a form of cloning and researchers have pinpointed the poor implementation of cryptography methods in ATM machines as being the reason for the flaw.

The chip in an EMV card is there to execute an authentication protocol, and is itself very difficult to clone. However, the authentication process also relies on the merchant’s point-of-sale kit, or an ATM, generating a completely random number to prove the uniqueness of the transaction. They discovered a flaw with the so called unpredictable number (UN), generated by software within cash point machines and other similar equipment. The researchers warned that this random number is not so random, and is even possible sometimes to predict.

“The UN (unique number) appears to consist of a 17 bit fixed value and the low 15 bits are simply a counter that is incremented every few milliseconds, cycling every three minutes,”

We wondered whether, if the ‘unpredictable number’ generated by an ATM is in fact predictable, this might create the opportunity for an attack in which a criminal with temporary access to a card (say, in a Mafia-owned shop) can compute the authorization codes needed to draw cash from that ATM at some time in the future for which the value of the UN can be predicted.”

Banks, meanwhile, are standing firmly behind EMV and chip-and-PIN and are refusing to refund customers protesting fraudulent transactions, banks are telling customers EMV is secure and they either are mistaken about a transaction, or are lying. Meanwhile, many wouldn’t have the mechanisms or procedures to patch PIN entry devices in the field in the need arose.