This presentation describes Google's Time Based One Time Password authentication scheme and its practical implementation Google Authenticator. It also presents possible attacks and their prevention.
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Google Authenticator, possible attacks and prevention
1. TOTP
Possible attacks
Conclusions
References
Google TOTP Two Factor Authentication
Boˇtjan Cigan
s
29. Januar 2013
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
2. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
TOTP
TOTP - Time-Based One-Time Password algorithm.
described in RFC 6238,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
3. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
TOTP
TOTP - Time-Based One-Time Password algorithm.
described in RFC 6238,
also uses RFC 4226 as a basis:
HOTP(K, C) = Truncate(HMAC-SHA-1(K, C))
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
4. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
TOTP
TOTP - Time-Based One-Time Password algorithm.
described in RFC 6238,
also uses RFC 4226 as a basis:
HOTP(K, C) = Truncate(HMAC-SHA-1(K, C))
Truncate is a function that can convert HMAC-SHA-1 into HOTP
(HMAC-based One-Time password). K is the shared secret, C is
the counter value (RFC 4226). In TOTP C is replaced by T (a
time based value).
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
5. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
TOTP
TOTP is defined as:
TOTP = HOTP(K, T)
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
6. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
TOTP
TOTP is defined as:
TOTP = HOTP(K, T)
where T is defined as:
T = (Current UNIX Time - T0 ) / X
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
7. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
TOTP
TOTP is defined as:
TOTP = HOTP(K, T)
where T is defined as:
T = (Current UNIX Time - T0 ) / X
where X is the time step (usually 30 seconds) and T0 the initial
time.
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
8. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
Practical implementation
Google Authenticator is an open source practical implementation
of TOTP.
How it works:
1 generate the secret (minimum is 16 characters length),
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
9. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
Practical implementation
Google Authenticator is an open source practical implementation
of TOTP.
How it works:
1 generate the secret (minimum is 16 characters length),
2 create a QR code,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
10. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
Practical implementation
Google Authenticator is an open source practical implementation
of TOTP.
How it works:
1 generate the secret (minimum is 16 characters length),
2 create a QR code,
3 scan the QR code using the Google Authenticator application,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
11. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
Practical implementation
Google Authenticator is an open source practical implementation
of TOTP.
How it works:
1 generate the secret (minimum is 16 characters length),
2 create a QR code,
3 scan the QR code using the Google Authenticator application,
4 use the password to login.
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
12. TOTP
Possible attacks TOTP basics
Conclusions Practical implementation
References
Google Authenticator on Android
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
13. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Possible attacks
Attacks are only possible, if incorrectly implemented.
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
14. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Possible attacks
Attacks are only possible, if incorrectly implemented.
replay attack,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
15. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Possible attacks
Attacks are only possible, if incorrectly implemented.
replay attack,
brute force attack,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
16. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Possible attacks
Attacks are only possible, if incorrectly implemented.
replay attack,
brute force attack,
(trivial) “phone stealing” attack,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
17. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Possible attacks
Attacks are only possible, if incorrectly implemented.
replay attack,
brute force attack,
(trivial) “phone stealing” attack,
QR code stealing
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
18. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Possible attacks
Attacks are only possible, if incorrectly implemented.
replay attack,
brute force attack,
(trivial) “phone stealing” attack,
QR code stealing
To show the first two attacks, lets use Wordpress (a commonly
used content management system) and expand the login security
with the Google Authenticator plugin.
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
19. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Replay attack
Prerequisites: A countermeasure is not implemented (unique
session keys, making a key invalid in the timeframe after using it).
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
20. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Replay attack
Prerequisites: A countermeasure is not implemented (unique
session keys, making a key invalid in the timeframe after using it).
using Wireshark, looking for POST requests,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
21. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Replay attack
Prerequisites: A countermeasure is not implemented (unique
session keys, making a key invalid in the timeframe after using it).
using Wireshark, looking for POST requests,
we can expose the username, password and the google
authenticator code
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
22. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Brute force attack
Prerequisites: A countermeasure is not implemented (limit
number of login attempts, lock IPs etc.).
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
23. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Brute force attack
Prerequisites: A countermeasure is not implemented (limit
number of login attempts, lock IPs etc.).
possible combinations of codes range between 000000 and
999999,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
24. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Brute force attack
Prerequisites: A countermeasure is not implemented (limit
number of login attempts, lock IPs etc.).
possible combinations of codes range between 000000 and
999999,
so in theory we have to send 1.000.000 requests in a
timeframe of 30 seconds, assuming that we started from 0
seconds,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
25. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Brute force attack
Prerequisites: A countermeasure is not implemented (limit
number of login attempts, lock IPs etc.).
possible combinations of codes range between 000000 and
999999,
so in theory we have to send 1.000.000 requests in a
timeframe of 30 seconds, assuming that we started from 0
seconds,
because Wordpress itself does not limit the number of login
attempts, this attack is possible.
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
26. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
Brute force attack
A simple script running on multiple servers would theoretically
suffice (the following is implemented in Python):
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
27. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
“Phone stealing” attack
It may be trivial, but the keys that are used to generate the codes,
are stored in plain text on the phone itself.
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
28. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
“Phone stealing” attack
It may be trivial, but the keys that are used to generate the codes,
are stored in plain text on the phone itself.
With root access we can extract the database using the tool adbd
Insecure.
1 adb pull
/data/data/com.google.android.apps.authenticator2/databases/databases
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
29. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
“Phone stealing” attack
It may be trivial, but the keys that are used to generate the codes,
are stored in plain text on the phone itself.
With root access we can extract the database using the tool adbd
Insecure.
1 adb pull
/data/data/com.google.android.apps.authenticator2/databases/databases
2 sqlite3 ./databases
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
30. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
“Phone stealing” attack
It may be trivial, but the keys that are used to generate the codes,
are stored in plain text on the phone itself.
With root access we can extract the database using the tool adbd
Insecure.
1 adb pull
/data/data/com.google.android.apps.authenticator2/databases/databases
2 sqlite3 ./databases
3 select * from accounts
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
31. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
“Phone stealing” attack
It may be trivial, but the keys that are used to generate the codes,
are stored in plain text on the phone itself.
With root access we can extract the database using the tool adbd
Insecure.
1 adb pull
/data/data/com.google.android.apps.authenticator2/databases/databases
2 sqlite3 ./databases
3 select * from accounts
The third column contains the secret we need.
1|test@gmail.com|HBGZ5SYGSVR3GBWO|0|0|0
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
32. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
QR code stealing
Prerequisites: The attacker can access the computer where the
user scanned his original QR from, the browsers cache was not
cleared.
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
33. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
QR code stealing
Prerequisites: The attacker can access the computer where the
user scanned his original QR from, the browsers cache was not
cleared.
Google Chrome and other browsers cache data in a predefined
folder. For Chrome checking the cache is easy:
1 type in the URL chrome://cache,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
34. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
QR code stealing
Prerequisites: The attacker can access the computer where the
user scanned his original QR from, the browsers cache was not
cleared.
Google Chrome and other browsers cache data in a predefined
folder. For Chrome checking the cache is easy:
1 type in the URL chrome://cache,
2 from here search for the string chart?cht=qr,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
35. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
QR code stealing
Prerequisites: The attacker can access the computer where the
user scanned his original QR from, the browsers cache was not
cleared.
Google Chrome and other browsers cache data in a predefined
folder. For Chrome checking the cache is easy:
1 type in the URL chrome://cache,
2 from here search for the string chart?cht=qr,
3 if successfull, we have a full QR code URL
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
36. TOTP Replay attack
Possible attacks Brute force attack
Conclusions “Phone stealing” attack
References QR code stealing
QR code stealing
A working example, the URL that was used to display the QR code
is still in the cache. We can easily extract the seed (marked
orange) that is used to generate TOTP tokens.
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
37. TOTP
Possible attacks
Conclusions
References
Conclusions
Google Authenticator is safe, but only if properly
implemented,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
38. TOTP
Possible attacks
Conclusions
References
Conclusions
Google Authenticator is safe, but only if properly
implemented,
To properly implement it, programmers must read and
understand the RFC documents before beginning
development,
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
39. TOTP
Possible attacks
Conclusions
References
Conclusions
Google Authenticator is safe, but only if properly
implemented,
To properly implement it, programmers must read and
understand the RFC documents before beginning
development,
The presented Wordpress Google Authenticator plugin enables
attacks because of improper implementation (it does not
comply with the rules written in the RFC document).
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
40. TOTP
Possible attacks
Conclusions
References
Conclusions
Google Authenticator is safe, but only if properly
implemented,
To properly implement it, programmers must read and
understand the RFC documents before beginning
development,
The presented Wordpress Google Authenticator plugin enables
attacks because of improper implementation (it does not
comply with the rules written in the RFC document).
The full article describing the methods of attack, its
implementation and methods of prevention is available at
http://zerocool.is-a-geek.net/?p=842.
Boˇtjan Cigan
s Google TOTP Two Factor Authentication
41. TOTP
Possible attacks
Conclusions
References
References
Online:
1 Google TOTP Two Factor authentication
2 RFC 4226
3 RFC 6238
4 Stealing Google Authenticator credentials
Boˇtjan Cigan
s Google TOTP Two Factor Authentication