Locked Token Client Souce Code - MD5 seed for AES PIN encryption

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Locked Token Client Souce Code - MD5 seed for AES PIN encryption

MichaelOS
Hi Nick,

I have a question re the locked token client. In the NewDomainDialog.java source file there is the following code snippet:

MessageDigest messageDigest = MessageDigest.getInstance("MD5");
byte[] key = messageDigest.digest("WiKID".getBytes());
byte[] fileData = TokenConfiguration.AESEncrypt(pin.getBytes(), new String(key).toCharArray());

Correct me if I’m wrong, but it looks like the string “WiKID” is being hashed with MD5 and the resultant seed is used to AES encrypt the PIN typed by the user when they try and request a one-time pin code?

I would like to create a much longer and more varied string rather than “WiKID”, recompile the client and then obfuscate the resultant wikidtoken.jar file so that it cannot be easily reverse engineered thus helping to hide the origin of the MD5 seed. I downloaded the latest source from Sourceforge, and tried to rebuild with ant on a Windows 7 SP1 machine running java 1.6.0_21, bcprov-jdk16-145 bouncy castle jar and using a self-signed certificate (to sign the resultant wikidtoken.jar). When I run the compiled jar and after entering and confirming the token passphrase I get the following error:

Using jar:file:/C:/Dev/WiKID/wikidtoken-3.1.25/dist/wikidtoken/wikidtoken-3.1.3/
wikidtoken.jar!/jw.properties for configuration.
java.lang.SecurityException: JCE cannot authenticate the provider BC
        at javax.crypto.Cipher.getInstance(DashoA13*..)
        at javax.crypto.Cipher.getInstance(DashoA13*..)
        at com.wikidsystems.crypto.wJceEncKeys.init(wJceEncKeys.java:31)
        at com.wikidsystems.crypto.wJceEncKeys.<init>(wJceEncKeys.java:43)
        at com.wikidsystems.crypto.wJceEncKeysFactory.generatePair(wJceEncKeysFa
ctory.java:26)
        at com.wikidsystems.client.TokenConfiguration.buildNewConfigDoc(TokenCon
figuration.java:362)
        at com.wikidsystems.client.TokenConfiguration.load(TokenConfiguration.ja
va:353)
        at com.wikidsystems.client.WiKIDToken.<init>(WiKIDToken.java:135)
        at com.wikidsystems.client.WiKIDToken.getToken(WiKIDToken.java:109)
        at com.wikidsystems.jw.JW.loadOrCreateToken(JW.java:249)
        at com.wikidsystems.jw.JW.main(JW.java:124)
Caused by: java.util.jar.JarException: Cannot parse file:/C:/Dev/WiKID/wikidtoke
n-3.1.25/dist/wikidtoken/wikidtoken-3.1.3/wikidtoken.jar
        at javax.crypto.SunJCE_c.a(DashoA13*..)
        at javax.crypto.SunJCE_b.b(DashoA13*..)
        at javax.crypto.SunJCE_b.a(DashoA13*..)
        ... 11 more
com.wikidsystems.crypto.wCryptoException: java.lang.SecurityException: JCE canno
t authenticate the provider BC
        at com.wikidsystems.crypto.wJceEncKeys.<init>(wJceEncKeys.java:57)
        at com.wikidsystems.crypto.wJceEncKeysFactory.generatePair(wJceEncKeysFa
ctory.java:26)
        at com.wikidsystems.client.TokenConfiguration.buildNewConfigDoc(TokenCon
figuration.java:362)
        at com.wikidsystems.client.TokenConfiguration.load(TokenConfiguration.ja
va:353)
        at com.wikidsystems.client.WiKIDToken.<init>(WiKIDToken.java:135)
        at com.wikidsystems.client.WiKIDToken.getToken(WiKIDToken.java:109)
        at com.wikidsystems.jw.JW.loadOrCreateToken(JW.java:249)
        at com.wikidsystems.jw.JW.main(JW.java:124)
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
        at javax.crypto.Cipher.getInstance(DashoA13*..)
        at javax.crypto.Cipher.getInstance(DashoA13*..)
        at com.wikidsystems.crypto.wJceEncKeys.init(wJceEncKeys.java:31)
        at com.wikidsystems.crypto.wJceEncKeys.<init>(wJceEncKeys.java:43)
        ... 7 more
Caused by: java.util.jar.JarException: Cannot parse file:/C:/Dev/WiKID/wikidtoke
n-3.1.25/dist/wikidtoken/wikidtoken-3.1.3/wikidtoken.jar
        at javax.crypto.SunJCE_c.a(DashoA13*..)
        at javax.crypto.SunJCE_b.b(DashoA13*..)
        at javax.crypto.SunJCE_b.a(DashoA13*..)
        ... 11 more

This probably has something to do with the fact that I may have used a self-signed certificate but not sure.

Questions are:

Is it good practice to change the default “WiKID” seed value in NewDomainDialog.java since it’s already public knowledge? As a thought, am I actually allowed to change source code like this and would it be supported?

Any idea as to why I’m getting “java.lang.SecurityException: JCE cannot authenticate the provider BC” error?

Thanks,
Michael.
Reply | Threaded
Open this post in threaded view
|

Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

Nick Owen
Administrator
I'm not sure about the value of changing it. I'd have to double-check, but IIRC, the AES key is used once to encrypt the OTP on the return trip. 

You're right about the cert. You will need  signed cert for JCE from oracle.


On Thu, Jan 30, 2014 at 8:25 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:
Hi Nick,

I have a question re the locked token client. In the NewDomainDialog.java source file there is the following code snippet:

MessageDigest messageDigest = MessageDigest.getInstance("MD5");
byte[] key = messageDigest.digest("WiKID".getBytes());
byte[] fileData = TokenConfiguration.AESEncrypt(pin.getBytes(), new String(key).toCharArray());

Correct me if I’m wrong, but it looks like the string “WiKID” is being hashed with MD5 and the resultant seed is used to AES encrypt the PIN typed by the user when they try and request a one-time pin code?

I would like to create a much longer and more varied string rather than “WiKID”, recompile the client and then obfuscate the resultant wikidtoken.jar file so that it cannot be easily reverse engineered thus helping to hide the origin of the MD5 seed. I downloaded the latest source from Sourceforge, and tried to rebuild with ant on a Windows 7 SP1 machine running java 1.6.0_21, bcprov-jdk16-145 bouncy castle jar and using a self-signed certificate (to sign the resultant wikidtoken.jar). When I run the compiled jar and after entering and confirming the token passphrase I get the following error:

Using jar:file:/C:/Dev/WiKID/wikidtoken-3.1.25/dist/wikidtoken/wikidtoken-3.1.3/
wikidtoken.jar!/jw.properties for configuration.
java.lang.SecurityException: JCE cannot authenticate the provider BC
        at javax.crypto.Cipher.getInstance(DashoA13*..)
        at javax.crypto.Cipher.getInstance(DashoA13*..)
        at com.wikidsystems.crypto.wJceEncKeys.init(wJceEncKeys.java:31)
        at com.wikidsystems.crypto.wJceEncKeys.<init>(wJceEncKeys.java:43)
        at com.wikidsystems.crypto.wJceEncKeysFactory.generatePair(wJceEncKeysFa
ctory.java:26)
        at com.wikidsystems.client.TokenConfiguration.buildNewConfigDoc(TokenCon
figuration.java:362)
        at com.wikidsystems.client.TokenConfiguration.load(TokenConfiguration.ja
va:353)
        at com.wikidsystems.client.WiKIDToken.<init>(WiKIDToken.java:135)
        at com.wikidsystems.client.WiKIDToken.getToken(WiKIDToken.java:109)
        at com.wikidsystems.jw.JW.loadOrCreateToken(JW.java:249)
        at com.wikidsystems.jw.JW.main(JW.java:124)
Caused by: java.util.jar.JarException: Cannot parse file:/C:/Dev/WiKID/wikidtoke
n-3.1.25/dist/wikidtoken/wikidtoken-3.1.3/wikidtoken.jar
        at javax.crypto.SunJCE_c.a(DashoA13*..)
        at javax.crypto.SunJCE_b.b(DashoA13*..)
        at javax.crypto.SunJCE_b.a(DashoA13*..)
        ... 11 more
com.wikidsystems.crypto.wCryptoException: java.lang.SecurityException: JCE canno
t authenticate the provider BC
        at com.wikidsystems.crypto.wJceEncKeys.<init>(wJceEncKeys.java:57)
        at com.wikidsystems.crypto.wJceEncKeysFactory.generatePair(wJceEncKeysFa
ctory.java:26)
        at com.wikidsystems.client.TokenConfiguration.buildNewConfigDoc(TokenCon
figuration.java:362)
        at com.wikidsystems.client.TokenConfiguration.load(TokenConfiguration.ja
va:353)
        at com.wikidsystems.client.WiKIDToken.<init>(WiKIDToken.java:135)
        at com.wikidsystems.client.WiKIDToken.getToken(WiKIDToken.java:109)
        at com.wikidsystems.jw.JW.loadOrCreateToken(JW.java:249)
        at com.wikidsystems.jw.JW.main(JW.java:124)
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
        at javax.crypto.Cipher.getInstance(DashoA13*..)
        at javax.crypto.Cipher.getInstance(DashoA13*..)
        at com.wikidsystems.crypto.wJceEncKeys.init(wJceEncKeys.java:31)
        at com.wikidsystems.crypto.wJceEncKeys.<init>(wJceEncKeys.java:43)
        ... 7 more
Caused by: java.util.jar.JarException: Cannot parse file:/C:/Dev/WiKID/wikidtoke
n-3.1.25/dist/wikidtoken/wikidtoken-3.1.3/wikidtoken.jar
        at javax.crypto.SunJCE_c.a(DashoA13*..)
        at javax.crypto.SunJCE_b.b(DashoA13*..)
        at javax.crypto.SunJCE_b.a(DashoA13*..)
        ... 11 more

This probably has something to do with the fact that I may have used a self-signed certificate but not sure.

Questions are:

Is it good practice to change the default “WiKID” seed value in NewDomainDialog.java since it’s already public knowledge? As a thought, am I actually allowed to change source code like this and would it be supported?

Any idea as to why I’m getting “java.lang.SecurityException: JCE cannot authenticate the provider BC” error?

Thanks,
Michael.



To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net
Reply | Threaded
Open this post in threaded view
|

Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

MichaelOS
Thanks Nick for the reply. We had a third-party perform a vulnerability assessment on our solution and the issue I mentioned was flagged. I'm not sure what a potential hacker would gain by knowing the AES seed.
Reply | Threaded
Open this post in threaded view
|

Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

Nick Owen
Administrator
Can you share the assessment with me?  nowen at wikidsystems.com...


On Mon, Feb 3, 2014 at 7:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:
Thanks Nick for the reply. We had a third-party perform a vulnerability assessment on our solution and the issue I mentioned was flagged. I'm not sure what a potential hacker would gain by knowing the AES seed.


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net
Reply | Threaded
Open this post in threaded view
|

RE: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

MichaelOS

Hi Nick,

 

Apologies for the e-mails but this was another issue encountered………

 

When I generate a OTP it can be used successfully more than once in the 60sec period that the key is valid. For example, I generate a OTP and access our application via IE. Then I access our application via Firefox and the same OTP works (as long as I’m within the 60sec window). Can WiKID be configured so that the OTP is used only once? Subsequent attempts to use it will fail?

 

Thanks,

Michael.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 15:04
To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

Can you share the assessment with me?  nowen at wikidsystems.com...

 

On Mon, Feb 3, 2014 at 7:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Thanks Nick for the reply. We had a third-party perform a vulnerability assessment on our solution and the issue I mentioned was flagged. I'm not sure what a potential hacker would gain by knowing the AES seed.


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

Nick Owen
Administrator
What protocol are you using?  TACACS?  Otherwise, this should not be possible.  


On Tue, Feb 4, 2014 at 11:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Hi Nick,

 

Apologies for the e-mails but this was another issue encountered………

 

When I generate a OTP it can be used successfully more than once in the 60sec period that the key is valid. For example, I generate a OTP and access our application via IE. Then I access our application via Firefox and the same OTP works (as long as I’m within the 60sec window). Can WiKID be configured so that the OTP is used only once? Subsequent attempts to use it will fail?

 

Thanks,

Michael.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 15:04
To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

Can you share the assessment with me?  nowen at wikidsystems.com...

 

On Mon, Feb 3, 2014 at 7:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Thanks Nick for the reply. We had a third-party perform a vulnerability assessment on our solution and the issue I mentioned was flagged. I'm not sure what a potential hacker would gain by knowing the AES seed.


To start a new topic under General Discussions, email [hidden email]

To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML




To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net
Reply | Threaded
Open this post in threaded view
|

RE: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

MichaelOS

I’m using RADIUS. Note that the test I mentioned previously is performed from the same physical machine but different browsers.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 16:05
To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

What protocol are you using?  TACACS?  Otherwise, this should not be possible.  

 

On Tue, Feb 4, 2014 at 11:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Hi Nick,

 

Apologies for the e-mails but this was another issue encountered………

 

When I generate a OTP it can be used successfully more than once in the 60sec period that the key is valid. For example, I generate a OTP and access our application via IE. Then I access our application via Firefox and the same OTP works (as long as I’m within the 60sec window). Can WiKID be configured so that the OTP is used only once? Subsequent attempts to use it will fail?

 

Thanks,

Michael.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 15:04
To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

Can you share the assessment with me?  nowen at wikidsystems.com...

 

On Mon, Feb 3, 2014 at 7:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Thanks Nick for the reply. We had a third-party perform a vulnerability assessment on our solution and the issue I mentioned was flagged. I'm not sure what a potential hacker would gain by knowing the AES seed.


To start a new topic under General Discussions, email [hidden email]

To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML

 


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

Nick Owen
Administrator
In the WiKIDAdmin logs, do you see: <14> Access-Accept(2) LEN=117 10.100.0.112:44016 Access-Request by <username> succeeded for each request?

How is you app handling sessions?  


On Tue, Feb 4, 2014 at 11:14 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

I’m using RADIUS. Note that the test I mentioned previously is performed from the same physical machine but different browsers.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 16:05


To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

What protocol are you using?  TACACS?  Otherwise, this should not be possible.  

 

On Tue, Feb 4, 2014 at 11:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Hi Nick,

 

Apologies for the e-mails but this was another issue encountered………

 

When I generate a OTP it can be used successfully more than once in the 60sec period that the key is valid. For example, I generate a OTP and access our application via IE. Then I access our application via Firefox and the same OTP works (as long as I’m within the 60sec window). Can WiKID be configured so that the OTP is used only once? Subsequent attempts to use it will fail?

 

Thanks,

Michael.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 15:04
To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

Can you share the assessment with me?  nowen at wikidsystems.com...

 

On Mon, Feb 3, 2014 at 7:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Thanks Nick for the reply. We had a third-party perform a vulnerability assessment on our solution and the issue I mentioned was flagged. I'm not sure what a potential hacker would gain by knowing the AES seed.


To start a new topic under General Discussions, email [hidden email]

To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML

 


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML




To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net
Reply | Threaded
Open this post in threaded view
|

RE: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

MichaelOS

Nick,

 

I’ll need to follow up on this tomorrow. I’ll close this thread and open a new one for this issue as I’ve gone completely off topic with regards to the original question.

 

Michael.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 16:28
To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

In the WiKIDAdmin logs, do you see: <14> Access-Accept(2) LEN=117 10.100.0.112:44016 Access-Request by <username> succeeded for each request?

 

How is you app handling sessions?  

 

On Tue, Feb 4, 2014 at 11:14 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

I’m using RADIUS. Note that the test I mentioned previously is performed from the same physical machine but different browsers.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 16:05


To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

What protocol are you using?  TACACS?  Otherwise, this should not be possible.  

 

On Tue, Feb 4, 2014 at 11:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Hi Nick,

 

Apologies for the e-mails but this was another issue encountered………

 

When I generate a OTP it can be used successfully more than once in the 60sec period that the key is valid. For example, I generate a OTP and access our application via IE. Then I access our application via Firefox and the same OTP works (as long as I’m within the 60sec window). Can WiKID be configured so that the OTP is used only once? Subsequent attempts to use it will fail?

 

Thanks,

Michael.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 15:04
To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

Can you share the assessment with me?  nowen at wikidsystems.com...

 

On Mon, Feb 3, 2014 at 7:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Thanks Nick for the reply. We had a third-party perform a vulnerability assessment on our solution and the issue I mentioned was flagged. I'm not sure what a potential hacker would gain by knowing the AES seed.


To start a new topic under General Discussions, email [hidden email]

To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML

 


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML

 


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

Nick Owen
Administrator
Sounds good, just want to put this here for posterity:

The attacker would have to break the asymmetric encryption as well to get the OTP.  Take a look a the process in this white paper:


Specifically on page 9 under 'Passcode request'.  

The public/private keys are the belt, the AES key is the suspenders ;-).



On Tue, Feb 4, 2014 at 12:01 PM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Nick,

 

I’ll need to follow up on this tomorrow. I’ll close this thread and open a new one for this issue as I’ve gone completely off topic with regards to the original question.

 

Michael.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 16:28


To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

In the WiKIDAdmin logs, do you see: <14> Access-Accept(2) LEN=117 10.100.0.112:44016 Access-Request by <username> succeeded for each request?

 

How is you app handling sessions?  

 

On Tue, Feb 4, 2014 at 11:14 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

I’m using RADIUS. Note that the test I mentioned previously is performed from the same physical machine but different browsers.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 16:05


To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

What protocol are you using?  TACACS?  Otherwise, this should not be possible.  

 

On Tue, Feb 4, 2014 at 11:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Hi Nick,

 

Apologies for the e-mails but this was another issue encountered………

 

When I generate a OTP it can be used successfully more than once in the 60sec period that the key is valid. For example, I generate a OTP and access our application via IE. Then I access our application via Firefox and the same OTP works (as long as I’m within the 60sec window). Can WiKID be configured so that the OTP is used only once? Subsequent attempts to use it will fail?

 

Thanks,

Michael.

 

From: Nick Owen [via WiKID Strong Authentication Forums] [mailto:[hidden email]]
Sent: 04 February 2014 15:04
To: MichaelOS
Subject: Re: Locked Token Client Souce Code - MD5 seed for AES PIN encryption

 

Can you share the assessment with me?  nowen at wikidsystems.com...

 

On Mon, Feb 3, 2014 at 7:01 AM, MichaelOS [via WiKID Strong Authentication Forums] <[hidden email]> wrote:

Thanks Nick for the reply. We had a third-party perform a vulnerability assessment on our solution and the issue I mentioned was flagged. I'm not sure what a potential hacker would gain by knowing the AES seed.


To start a new topic under General Discussions, email [hidden email]

To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML

 


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML

 


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



 

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net

 


To unsubscribe from Locked Token Client Souce Code - MD5 seed for AES PIN encryption, click here.
NAML




To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML



--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net