Questionable crypto - Neal Asher's ‘Depature’
Last time, we investigated some questionable design choices in the TLS-like AF protocol from Autonomous. Today's unfortunate victim is a TOTP-like monstrosity from Neal Asher's The Departure. Near the end of the novel, the main character, Saul, commandeers a network of robots from the antagonist, Smith. Saul locks Smith out of the robots like so:
He reprogrammed [the robot] and tightened its computer security, shutting down its response to station signals and making it accessible only by a ten-digit code constantly changing according to a formula that only he – and it – knew.
This time-based authorisation code is similar in many ways to TOTP (the Time-Based One-Time Password algorithm), defined in RFC 6238, which is the basis for most (good) one-time-password-based two-factor authentication systems, such as Google Authenticator.
Based on this early description in the novel, some questions are immediately raised. TOTP is based on HMAC/SHA-1, a rather complicated mechanism described in the RFCs as an ‘algorithm’ or ‘construction’. The Departure, on the other hand, uses the term ‘formula’, which is evocative of some sort of simple mathematical relationship.
The term ‘formula’ is reminiscent of the Mersenne Twister, or some other simpler pseudorandom number generator (PRNG), though even that is pushing the borders of ‘formula’. This, however, would be disastrous for the security of Saul's system. The Mersenne Twister and other simple PRNGs are not cryptographically secure. In the case of the usual Mersenne Twister, observing only 624 resulting codes would allow an attacker to predict all future codes.
But let us give Asher the benefit of the doubt and suppose that the process is cryptographically secure. The ‘secret’ formula, effectively a symmetric pre-shared key, is a classic example of security through obscurity – the process is only secure until the adversary (Smith) works out what the formula is (which Smith eventually does do).
Worse still, Asher goes on to write:
Controlling the robot’s laser com, he had opened a communication channel with the loader robot and at once included it in his personal network. He had input the same changing ten-digit code to the larger robot
In other words, Saul commandeers a second robot, and uses the same code to secure it. One assumes he continues to do so for all the other robots.
Therefore, if the shared secret formula is compromised – if Smith hacks into even one robot, or manages to brute-force the code for even one robot – Smith gains control over the entire network of robots. This does, in fact, happen later in the novel, and causes Saul significant difficulty – difficulty which could have been entirely avoided if he had avoided key reuse.
Now at this point, radio communications between Smith and the robots are down. Later, communications are restored and this exchange follows:
That Smith now knew he controlled robots was almost instantly confirmed when all of their radio receivers activated at once, though whatever orders Smith had sent them could not bypass the ten-digit code.
Keeping in mind that this radio channel is the same channel that Saul has been using to communicate with the robots at distance, this raises the question of whether the radio channel is secure. If Saul can see Smith's radio communications with the robots, surely Smith see Saul's radio communications with the robots too?
If the channel is not secured against eavesdropping, this would be contrary to the TOTP specification in RFC 6238, which states that ‘All the communications SHOULD take place over a secure channel, e.g. Secure Socket Layer/Transport Layer Security (SSL/TLS)’. An unsecured radio channel does not meet this requirement.
If Saul has neglected this aspect of security, then we meet again with many of the same issues as with Autonomous. The unsecured protocol is susceptible to a replay attack and subsequent session hijacking – if Smith can intercept a ten-digit code, he can, until that code expires, use the code to control the robot, or, thanks to the key reuse outlined previously, control any other robot. Since the lifetime of the code needs to be long enough to account for communication delays, it is conceivable that Smith could do serious damage with this access. Indeed, it is possible that Smith would be able to, using this access, extract the secret formula from a robot and (again, thanks to the key reuse) regain control over all the robots.
The key point to take away from all this is that, even if Saul had implemented TOTP correctly, TOTP is fundamentally not the appropriate approach in this case. From RFC 4226, ‘One-Time Passwords are often preferred to stronger forms of authentication such as Public-Key Infrastructure (PKI) or biometrics because an air-gap device does not require the installation of any client desktop software on the user machine’. In other words, communication between the client and server can be effected by hand.
This is the reason for the use of symmetric keys in TOTP: so that ‘the token MUST be easily read and entered by the user: This requires the [T]OTP value to be of reasonable length’ (RFC 4226). But in this case, this is entirely unnecessary. Saul is interfacing directly with the robots through specialised hardware and software, and there is therefore no reason for the security to be limited to a ten-digit code.
A more appropriate solution in this case would be a more advanced public-key system, such as U2F (which replaces one-time passwords with a physical device plugged into the computer) or TLS client authentication.