Thu, 17 May 2012

A closer look into the RSA SecureID software token

Tags: analysis, public, research, reversing — behrang @ 12:00

Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token. As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms. Obviously, mobile phones would not be able to provide the level of tamper-resistance that hardware tokens would, but I was interested to know how easy/hard it could be for a potential attacker to clone RSA SecureID software tokens. I used the Windows version of the RSA SecurID Software Token for Microsoft Windows version 4.10 for my analysis and discovered the following issues:

Device serial number of tokens can be calculated by a remote attacker :

Every instance of the installed SecurID software token application contains a hard drive plug-in (implemented in tokenstoreplugin.dll) that has a unique device serial number. This serial number can be used for "Device Binding" and the RSA documentation defines it as follows:

“Before the software token is issued by RSA Authentication Manager, an additional extension attribute (<DeviceSerialNumber/>) can be added to the software token record to bind the software token to a specific devicedevice serial number is used to bind a token to a specific device. If the same user installs the application on a different computer, the user cannot import software tokens into the application because the hard drive plug-in on the second computer has a different device serial number from the one to which the user's tokens are bound”.

Reverse engineering the Hard-Disk plugin (tokenstoreplugin.dll) indicated that the device serial number is dependent on the system's host name and current user's windows security identifier (SID). An attacker, with access to these values, can easily calculate the target token's device serial number and bypass the above mentioned protection. Account SIDs can be enumerated in most of the Microsoft active directory based networks using publicly available tools, if the “enumeration of SAM accounts and shares” security setting was not set to disabled. Host names can be easily resolved using internal DNS or Microsoft RPC. The following figures show the device serial number generation code:

The SecureID device serial number calculation can be represented with the following formula:

Token's copy protection:

The software token information, including the secret seed value, is stored in a SQLite version 3 database file named RSASecurIDStorage under the “%USERPROFILE%\Local Settings\Application Data\RSA\RSA SecurID Software Token Library” directory. This file can be viewed by any SQLite database browser, but sensitive information such as the checksum and seed values are encrypted. RSA documentation states that this database file is both encrypted and copy protected: “RSA SecurID Software Token for Windows uses the following data protection mechanisms to tie the token database to a specific computer:

• Binding the database to the computer's primary hard disk drive

• Implementing the Windows Data Protection API (DPAPI)

These mechanisms ensure that an intruder cannot move the token database to another computer and access the tokens. Even if you disable copy protection, the database is still protected by DPAPI.”

The RSASecurIDStorage database file has two tables: PROPERTIES and TOKENS. The DatabaseKey and CryptoChecksum rows found in the PROPERTIES tables were found to be used for copy protection purpose as shown in the figure below:

Reverse engineering of the copy protection mechanism indicated that:

The CryptoChecksum value is encrypted using the machine's master key, which can only be decrypted on the same computer system, unless the attacker can find a way to import the machine key and other supporting data to their machine
The DatabaseKey is encrypted using the current logged-on user's master key and provides token binding to that user account

Previous research on the Microsoft Windows DPAPI internals has made offline decryption of the DPAPI protected data possible. This means that if the attacker was able to copy the RSA token database file along with the encryption master keys to their system (for instance by infecting a victim's machine with a rootkit), then it would be possible to decrypt the token database file on their machine. The detailed attack steps to clone a SecurID software token by copying the token database file from a victim's system are as follows:

Copy the token database file, RSASecurIDStorage, from the user profile directory
Copy the user's master key from %PROFILEDIR%\Application Data\Microsoft\Protect\%SID%; the current master key's GUID can be read from Preferred file as shown in the figure below:

Copy the machine's master key from the %WINDIR%\system32\Microsoft\Protect\ directory. Microsoft Windows protects machine keys against tampering by using SHA1 hash values, which are stored and handled by the Local Security Authority Subsystem Service (LSASS) process in Microsoft Windows operating systems. The attacker should also dump these hash values from LSA using publicly available tools like lsadump.

Having all the required master keys and token database file, install and deploy a windows machine and change the machine and user SIDs to the victim's system SID by using available tools such as newSID.
Overwrite the token database file, user and machine master keys with the ones copied from victim's system. You would also need to find a way to update the DPAPI_SYSTEM value in LSA secrets of the Windows machine. Currently, this is the only challenge that I was not able to solve , but it should be possible to write a tool similar to lsadump which updates LSA secrets.
When the above has been performed, you should have successfully cloned the victim's software token and if they run the SecurID software token program on your computer, it will generate the exact same random numbers that are displayed on the victim's token.

In order to demonstrate the possibility of the above mentioned attack, I installed and activated token A and token B on two separate windows XP virtual machines and attempted to clone token B on the virtual machine that was running token A. Taking the above steps, token B was successfully cloned on the machine running token A as shown in the following figures:

In order to counter the aforementioned issues, I would recommend the use of "trusted platform module" (TPM) bindings, which associates the software token with the TPM chip on the system (TPM chip for mobiles? there are vendors working on it).

26 comments

hazmat on 2012/5/18‡

Please refer to this earlier work from 2001 "Initial Cryptanalysis of the RSA SecurID Algorithm"

http://www.comms.engg.susx.ac.uk/fft/crypto/initial_securid_analysis.pdf

behrang on 2012/5/18‡

Thanks for the link hazmat, the research you mentioned was about the RSA algorithm where my post is related to the token protection issues (binding and copy protection)

http on 2012/5/20‡

As the RSA algorithm is known, why clone everything? Just get the necessary data from first system and do the "random value" calculations yourself.

It is obvious that this protection cannot work by design. Good research article though.

behrang on 2012/5/20‡

Thanks http, The article actually attempts to discuss methods of collecting those "necessary data" and feeding it to another RSA token or as you mentioned to publicly available software tools emulating an RSA token.

Olive on 2012/5/21‡

Actually some arm-based chipsets used in mobile devices already provide something similar to TPM. See also ARM's "trustzone".

behrang on 2012/5/21‡

Thanks Olive, I kenew about trustzone but didn't know that it's implemented in some phones. Can you please let me know the phone vendor and model?

nm on 2012/5/21‡

There aren't mobile TPM yet, but the same thing could be implanted by intel IPT (including mobile) in future. (http://ipt.intel.com/welcome.aspx)

ph0enix on 2012/5/22‡

Would that be possible for RSA apps running under iOS or Android?

jj on 2012/5/22‡

I have a doubt about your "final" demo.

You mention that you couldn't find a way of updating the LSA secrets, so how did you manage to get the "copy" of the token working?

Did you just clone the VM (and thus have really two instances of the same VM) and leave the "update the LSA secrets" part as a "exercise to the reader"?

I think the article is very interesting and provides a lot of useful information, but I don't really see (maybe it's just me!) that is shows a complete end-to-end attack.

Thanks a lot for the great work and for publishing it!

Bernd on 2012/5/22‡

Why is it at all needed to re-create a second windows environemnt with the same SIDs. Wouldnt it be also possible to overwrite the tokens code to read those values with the fixed numbers (or even recreate the whole algorithm...)

BTW: it is not suprising that soft token can be cloned, it is much more suprising that people think it cant (and RSA claims it cant).

As long as you do not use hardware platform binding methods (TPM or similiar) is simply conceptually imposible to bind code to a untrusted host.

And the more integrated you are, the less you need a "soft token" at all, just go for a smartcard. Oh I forgot, the vast revenue from the endpoint security market ....

Bernd

Bernd on 2012/5/22‡

Is the TPM binding doing the actual (challenged part of it) RSA prng calculation in the TPM?

Jim on 2012/5/22‡

Doesn't the soft token require user entry of a PIN that protects the key in addition to the measures shown here? You don't show this; do you assume the attacker has also stolen the PIN?

Nobody on 2012/5/22‡

Cain can do this since ages...

Jon Bohack on 2012/5/22‡

By elevating your permissions thru psexec can you obtain the lsa secrets?

OverFlow636 on 2012/5/22‡

Very nice article. I used to use ollydebug forever ago and the screen shots brought back memories.

Dan Kaminsky on 2012/5/22‡

I misunderstood this post, so perhaps I can clarify.

You cannot clone a SecureID with the device serial number. Specifically, the seed used to generate all IDs is not published in DNS and AD.

Given rootkit level access to a PC, you can extract the seed. You can then make the extracted seed work on other machines using the device serial number, which at that point you'd never need to discover remotely because -- heh, you have rootkit level access.

If you interpreted the above research to imply that you could remotely discover enough about a user's token to clone it, this is clearly not the case. However, I made the same mistake too. Perhaps Sensepost would like to clarify their research to prevent future misunderstandings.

behrang on 2012/5/22‡

Thank you all for the comments. I just wanted to emphasis that the purpose of this article was to assess the difficulty of replicating a software token which is based on a secret seed. It's an obvious fact that the software tokens does not provide very good level of tamper-resistance of hardware tokens. The article pointed out the two major attack scenario:

1) Attack one based on bypassing token bindings: In most cases RSA the software token "provisioning" file is emailed to the users. If an attacker can capture that email then he can use the first mentioned method to change his system configurations (hsotname , SIDs), thus successfuly "import" the provisioning file and activate the token.

2) Attack two assumes that the attacker has compormised the victim's system remotely or gained physical access to it in order to extract the required DPAPI blobs and LSA secrets and replicate the token in a simulator (cain provides one) or another copy of RSA software token.

Jon Bohack on 2012/5/22‡

After reading Dan's post and behrang this makes sense... I was under the impression as well that you could clone the SecureID, until I read it again. Dan... drink! :) and behrang great research. I believe that many companies practice security thru obscurity. If you know.. who your target is and what they run, you can own them with enough research. Strictly speaking from an audit perspective.

This article proves that two factor security can be duplicated if someone has physical access to the laptop. This is often the case when leaving your hotel room in a shady country... We've all heard horror stories.

Mark Gamache on 2012/5/23‡

GREAT WORK! I've been making this point for years and people acted like I was crazy. If RSA's code can read and store the seed, so can someone else's. Admin or physical access is total ownage. I'm just not smrt enough to use the tools to find such things.

behrang on 2012/5/23‡

Javier,
You mention that this does not reflect a complete end-to-end attack. I'd like to point out that this is not a research project. It was performed during a real-worled assessment in a time-frame of 5 days. Updating LSA Secrets would be theoretically possible - a point I believe we mentioned.

Nige on 2012/5/23‡

If LSA Secrets can't be updated then the whole thing falls into a heap. You admit that you couldn't do this, therefore your screenshots showing the attack working are suspect in the extreme.

Sebastian on 2012/5/23‡

It seems like the Samsung Galaxy S3 is the first one to have the Trust Zone enabled. But how a developer or researcher can use this I do not know.

behrang on 2012/5/23‡

Nige, you really don't need to update the LSA to make this work:). I included that step to relate it to the pervious research on "offline DPAPI" forensics done by stanford university. Otherwise, for a malware running in the context of a logged on user, it would be more easier to hook/call CryptUnprotectData and capture/decrypt the seed.

behrang on 2012/5/23‡

Thanks Sebastien, probably they've provided the SDK to phone vendors only. I'm very interested in any information on trustzone SDK.

Bernd on 2012/5/23‡

behrang on 2012/5/24‡

Bernd, I totally agree with you on smartcards, modern smart cards have crypto-CPUs integrated and cost <10 USD each if you don't buy in batches