Fine with "1234"? An Analysis of SMS One-Time Password Randomness in Android Apps
作者: Elisa Bertino , Diethelm Ostry , Juanru Li , Hyoungshick Kim , Surya Nepal
DOI:
关键词:
摘要: A fundamental premise of SMS One-Time Password (OTP) is that the used pseudo-random numbers (PRNs) are uniquely unpredictable for each login session. Hence, process generating PRNs most critical step in OTP authentication. An improper implementation number generator (PRNG) will result predictable or even static values, making them vulnerable to potential attacks. In this paper, we present a vulnerability study against PRNGs implemented Android apps. key challenge typically on server-side, and thus source code not accessible. To resolve issue, build an analysis tool, \sysname, assess implementations automated manner without requirement. Through reverse engineering, \sysname identifies apps using triggers app's functionality retrieve values. It further assesses randomness values identify PRNGs. By analyzing 6,431 commercially downloaded from \tool{Google Play} \tool{Tencent Myapp}, identified 399 generate Even worse, 194 use authentication alone any additional security mechanisms, leading insecure guessing attacks replay
arxiv.org参考文章(31)
Aggelos Kiayias, George Argyros, I forgot your password: randomness attacks against PHP applications usenix security symposium. pp. 6- 6 ,(2012)
Lawrence E. Bassham, Mark Vangel, James R. Nechvatal, David L. Banks, Elaine B. Barker, Juan Soto, Miles E. Smid, Mark Levenson, Stefan D. Leigh, San Vo, Andrew L. Rukhin, Nathanael Alan Heckert, James F. Dray, SP 800-22 Rev. 1a. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications National Institute of Standards & Technology. ,(2010)
David A. Molnar, Michael Y. Levin, Patrice Godefroid, Automated Whitebox Fuzz Testing. network and distributed system security symposium. ,(2008)
Raymond Kammer, William M. Daley, Cheryl Shavers, Security Requirements for Cryptographic Modules ,(1999)
David Naccache, Mihir Bellare, Ohad Ranen, Frank Hoornaert, HOTP: An HMAC-Based One-Time Password Algorithm RFC. ,vol. 4226, pp. 1- 37 ,(2005)
Marc Girault, Robert Cohen, 2)Mireille Campana, A generalized birthday attack theory and application of cryptographic techniques. pp. 129- 156 ,(1988) , 10.1007/3-540-45961-8_12
Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergniaud, Daniel Wichs, Security analysis of pseudo-random number generators with input: /dev/random is not robust computer and communications security. pp. 647- 658 ,(2013) , 10.1145/2508859.2516653
Michael Mascagni, Ashok Srinivasan, Parameterizing parallel multiplicative lagged-Fibonacci generators parallel computing. ,vol. 30, pp. 899- 916 ,(2004) , 10.1016/J.PARCO.2004.06.001
François Panneton, Pierre L'Ecuyer, Makoto Matsumoto, Improved long-period generators based on linear recurrences modulo 2 ACM Transactions on Mathematical Software. ,vol. 32, pp. 1- 16 ,(2006) , 10.1145/1132973.1132974
Adam Greene, Michael Sutton, Pedram Amini, Fuzzing: Brute Force Vulnerability Discovery ,(2007)