While preparing for my Bsides: Seattle presentation I met a guy who showed me an idea for the coolest 2nd factor of authentication I think I have ever seen. Anyone who knows me even a little bit knows I have a love of close up magic, sleight of hand, and anything generally dealing with card and coin magic. So when the guy pulled out a deck of cards I was instantly intrigued. When he told me it was his password I had to see it to believe it.
The idea he proceeded to show me was, at it's core an intriguingly simple and elegant one. Think of a Deck of cards as a 52 bit transposition cipher. Given a set of permutation steps, the possessor of the cipher wheel should be able to provide the proper response to the Challenge. I will give a simple example to start. Suppose you had cards in order (face down from top to bottom):
[3-Hearts,5-Spades,2-Diamond,5-Diamond]
and the challenge was "Move one card from the top to the bottom, then tell me the new top card" You would shift the #-Hearts to the bottom of the pile resulting in the new state:
[5-Spades,2-Diamond,5-Diamond,3-Hearts]
Your response to the challenge would be "5-Spades" and you would be let into the super-secret meeting.
For a single card toke like the one I just described (5-spades being the token) the chances of guessing the card are the standard 1/52. Nowhere near strong enough.
Now, a challenge that goes through 4 permutations? Well Bayes would have us estimate it as independent events:
(1/52)*(1/52)*(1/52)*(1/52)
----------------------------------------
1.36768671e-7
But in reality it works out to be more like:
(1/52)*(1/51)*(1/50)*(1/49)
----------------------------------------
1.53907717e-7
Either way, it is an incredibly small number. When added together with a strong Username and password policy, it could play the physical trust token role I have been looking for.
A VERY quick overview of 2 factor authentication if you are unaware: It is more secure because you use 2 pieces of information to authenticate. The first piece is something you Know. This is generally your Username and Password combination. The second factor is something you possess. Like a key or a particular file on your computer. It acts as a backup in case your password is stolen or guessed. Someone would still need to have physical access to your other form of authentication get in.
Now that we have the motivation out of the way...Let's get into the fun bit! As soon as the conference was over I rushed home to add this new Factor of authentication to Rellik, my ongoing botnet research CnC. A version of the code that has been generalized somewhat better has been placed up on my public GitHub at
https://github.com/dreilly369/CardDeckManager
I have recently started carrying a deck of cards with me to see in practical application how much of a problem it presents. I am already designing a hardware token version based off of this principle. Just in case the physical deck of cards becomes to cumbersome. Head over to my GitHub to read the code or for more specifics on how to apply it in real scenarios.
Is this something you would try doing? What methods of 2 Factor Authentication do you use?
No comments:
Post a Comment