Breaking a Password Manager

Interesting story of breaking the security of the RoboForm password manager in order to recover a cryptocurrency wallet password.

Grand and Bruno spent months reverse engineering the version of the RoboForm program that they thought Michael had used in 2013 and found that the pseudo-random number generator used to generate passwords in that version—­and subsequent versions until 2015­—did indeed have a significant flaw that made the random number generator not so random. The RoboForm program unwisely tied the random passwords it generated to the date and time on the user’s computer­—it determined the computer’s date and time, and then generated passwords that were predictable. If you knew the date and time and other parameters, you could compute any password that would have been generated on a certain date and time in the past.

If Michael knew the day or general time frame in 2013 when he generated it, as well as the parameters he used to generate the password (for example, the number of characters in the password, including lower- and upper-case letters, figures, and special characters), this would narrow the possible password guesses to a manageable number. Then they could hijack the RoboForm function responsible for checking the date and time on a computer and get it to travel back in time, believing the current date was a day in the 2013 time frame when Michael generated his password. RoboForm would then spit out the same passwords it generated on the days in 2013.

Tags: , ,

Posted on June 4, 2024 at 7:08 AM17 Comments

Comments

Time is random in small measures June 4, 2024 8:32 AM

@ALL

When you see

“… unwisely tied the random passwords it generated to the date and time on the user’s computer­it determined the computer’s date and time, and then generated passwords that were predictable.”

You might get the impression that using “time” is a bad idea.

The answer is both “Yes and No” and depends in very large part on the measure or quantity you use and how you use it.

All clocks drift even those atomic clocks up in GPS satellites as far as we can tell the drift has some ideal properties as a source of entropy. The problem is extracting it and debiasing it.

The more accurate the clock the less entropy you get in any given time period. If you use say one of a series of fast rotating neutron stars

https://esahubble.org/images/potm2404a/

Then you are looking at thousands of years to get a bit you might be able to extract.

Use a water clock and you might get usable bits of entropy at a rate of several a minute.

The problem programmers face is “Computers are deterministic” and governed by an XTAL clock that gets multiplied by PLL circuits to the low microwave frequencies and every internal action is tied to it in some way.

So there is no entropy because you measure with the clock that generates the signal.

Which means using a signal that is fully independent of the XTAL clock in the computer, and that is not easy (there are tricks you can do in that there are usually two XTALs in a PC the AT-Cut CPU crystal at 30MHz or more and the B-Cut RTC crystal at 32KHz and you can “Waggon Wheel” them).

There are books written on this subject (and our host has written a couple of them) but they all only scratch the surface of the issues of time measurement and entropy. It’s very definitely a “here be dragons” subject and why most people should look for other sources of entropy that are easier to understand.

Keri B June 4, 2024 10:57 AM

To describe these actions by Grand and Bruno as “breaking the security of the RoboForm password manager” is kind of misleading. Their actions didn’t change the security of the program; it was insecure, and they just discovered that and took advantage of it. Which I guess is a “break” in the cryptographic sense, but people interpreting more colloquially might misunderstand.

It’s an interesting story, anyhow, and shows the dangers of unauditable software.

@Time is random in small measures, what you write is true, but I suspect would almost never be useful to a programmer. Maybe if they’re writing code for a satellite and can’t find much other useful entropy in space…. But here on Earth, using the time is a bit of a red flag. One might think the nanosecond values could be useful; they can be, but one has to be very careful to verify that they change by the nanosecond—as opposed to being incremented by perhaps 999997, about a thousand times a second. And one could still be in trouble if the number of nanoseconds from system boot to key generation is too predictable.

More importantly, it’s a rare programmer that has to write their own pseudo-random number-generator. The bulk of people should be using one from the system or a cryptographic library. If it’s secure, combining it with time data or other “entropy” shouldn’t affect the security, but combining it incorrectly could; either way, any kind of post-processing will needlessly complicate software-test reproducibility.

Is it simple ignorance that caused a cryptocurrency-wallet programmer to write their own? In this space, one never really knows. Criminality and greed abound; there’s been no shortage of intentionally backdoored software, and services that are outright scams. But there are also the “true believers”; and there are ineffective paranoiacs, who’ll trust an operating system to run their programs but not to provide a secure PRNG. Still, “let’s treat our money as cash, and rely on computer security to protect it”… is something unlikely to be said by anyone who’s followed computer securify for the last few decades, nevermind the last decade of Bitcoin et al.

Wannabe Techguy June 4, 2024 12:07 PM

Ok this wannabe doesn’t understand why the date and time is used for passwords. Can someone explain this in “dummy proof” language without being a smart ass? Yes you are all much smarter than me; good for you! FWIW, I make passwords using Steve Gibson’s password generator and then plugging it into his Password Haystacks.

Time is random in small measures June 4, 2024 12:30 PM

@ Keri B

Thank you for the reply

“what you write is true, but I suspect would almost never be useful to a programmer.”

But not at the top of your list 😉

All joking aside the sort of programmer you describe further down is how shall I put it ‘cognitively biased’ even to the point of paranoia. So falls to

“A little learning is a dangerous thing”

Unfortunately it’s a view point that would have been fostered by some of the antics of Linus Torvalds in the past and not helped by more recent events with

https://www.neowin.net/news/linus-torvalds-seems-frustrated-with-amd-ryzen-ftpm-bugs-and-issues-suggests-disabling/

And saying of the Hardware RNG

“There is no way anybody should believe that a firmware TPM generates better randomness than we do natively.”

Well what was it about

“Living in a state of sin”

There are reasons Hardware or True RNG’s stutter, one of which is it takes time to build and extract entropy, and for good and proper security reasons you should not ignore them, unless you really know what you are doing and in the past certainly Linus gave all the symptoms of not doing so and got rounded upon and ended up apologizing.

As I said you have to understand your entropy source be it a pulsar or water clock. Few do and few ever will.

A search on this site for RNG and “roulette wheel” or “waggon wheel” will bring up past and sometimes quite lengthy discussions. The most recent I think is

https://www.schneier.com/blog/archives/2022/03/linux-improves-its-random-number-generator.html

But the big mistake people often make was first made by Intel, their on chip TRNG was truly awful so they hid it behind a “Crypto-Secure”(CS) function.

The reason it was truly awful is basic maths of sampling that all DSP and RF engineers know. If you sample one square wave with another via a D-Type latch even though the output “close in’ looks random, further out it can easily be seen that in fact the output is a one bit quantitized sine wave of high precision at the difference frequency. If one or both oscillators are unstable then the difference frequency is unstable and is frequency modulated but only marginally so (oscillators are like pendulums they “don’t pull easily”). A simple low pass or integrator function would show the sine wave up for what it was. Therefore Intel chose to hide it behind the “magic pixie dust” of a CS-algorithm.

Some have said Intel did this at the behest of the NSA as it would allow them to “synchronize” to “zero crossing points” and thus make the search space incredibly small.

But as the old saying has it

“Why attribute to malice that which is more easily explained by idiocy”

Keri B June 4, 2024 1:58 PM

@Time is random in small measures,

There are reasons Hardware or True RNG’s stutter, one of which is it takes time to build and extract entropy, and for good and proper security reasons you should not ignore them

Linus’s proposal seems to be to read the hardware PRNG on startup, to seed the kernel’s. That seems sensible to me; I’ve yet to hear any convincing explanation (barring VM-cloning and the like) of why an operating system might ever need more than about 256 bits of entropy. The whole purpose of a stream cipher is to generate a bitstream that’s entirely unpredictable, indistinguishable from “true randomness”, right? Mixing in a few new bits at startup or periodically, if done correctly, may be defensible as a defense-in-depth measure. But it should be safe in principle to seed the PRNG once and generate many terabytes before there’s an information-theoretical reason to re-seed.

The tendency to over-complicate this seems to be to detrimental overall. That includes the existence of all of /dev/random, /dev/urandom, getentropy(), getrandom(), and arc4random(); and them having “caveats” and minor differences, such as whether and how they can fail; and the lack of any guidance in the maunal pages of which, if any, should be preferred and why. The same goes for gnupg’s three security levels for --gen-random (with a bonus point for not saying which of 0, 1, or 2 is the most secure), and for all of the programs that feel a need to “improve” system-provided entropy.

Emoya June 4, 2024 3:31 PM

@Wannabe Techguy

Basically, entropy is a measure of randomness. When a system needs to generate something random, such as a cryptographic key or password, there must be something to serve as a source for the entropy. As stated, computers are deterministic in nature, and, therefore, are terrible sources of their own entropy.

Most commonly used “random” number generators in programming are actually pseudo-random number generators (PRNG), which use the system clock to seed a deterministic algorithm that generates random-looking output, but which is not random at all. If you can find the seed value, then every literal bit of output from the algorithm can be reproduced.

To mitigate this, Cryptographically-secure pseudo-random number generators (CSPRNG) have been created. These typically extract entropy through computer interaction with external sources, such as mouse movements, keystroke tempo, etc., and collect it to be used when needed for more secure applications. These CSPRNGS require a “charging time” to collect enough usable entropy, so they can’t be spun up immediately on-demand, but need to execute for a short time.

Then there are true random number generators (TRNG). These are typically some form of special-purpose hardware that collect entropy from the environment through various sensors, and then collect it similar to CSPRNGS.

RoboForm’s failing was in that at least one programmer, whether out of laziness or naivete, took the easy way out. It is inadvisable to develop from scratch your own CSPRNG, as they are complex and there are a multitude of considerations when writing cryptographic software that do not apply to other development. As mentioned above, standard practice is to integrate an established and tested cryptographic library.

Not really anonymous June 4, 2024 4:18 PM

The difference between PRNGs and CSPRNGs is not the source of their entropy, but rather in how hard it is to calculate their state based on output. While using a bad source of entropy for a CSPRNG will make the CSPRNG weak, using a good source of entropy for a non-CSPRNG PRNG will not make it strong.

Winter June 4, 2024 4:20 PM

@Wannabe Techguy

Ok this wannabe doesn’t understand why the date and time is used for passwords.

There was a time when iterating over thousands of (milli) seconds to find the seed of a cryptographic key was a challenge. But that time has passed a long time ago.

Some people used either old code or old customs and stuck to it when it certainly was not secure anymore.

Winter June 4, 2024 5:02 PM

@Winter (myself)

There was a time when iterating over thousands of (milli) seconds

Correction, there are over 30 million seconds in a year, so it would be guessing tens of millions of seconds. This is comparable to a keysize of ~25 bit.

The difference doesn’t matter. DES with a 56 bit keysize was already broken in 1999.

Time is random in small measures June 4, 2024 6:21 PM

@Keri B

“The whole purpose of a stream cipher is to generate a bitstream that’s entirely unpredictable, indistinguishable from “true randomness”, right?”

Err no. Only to the opponent and even then the statistics of a bitstream is all to often predictable enough as a distinguisher (unicity distance) in as little as 2N and less than 3N-2 (longest run of zeros or ones). Where N is the effective size of the state array. This is because in a keyed bitstream the individual bits are not fully independent of each other.

The only bitstream where the bits are fully independent is an unbiased True Random Bit source which by definition can not be generated from a short key.

No matter how good the crypto secure algorithm is, it will always be subject to dictionary attacks. Especially Unkeyed CS algorithms like hash functions.

As I said the use of a roulette or waggon wheel system with a D-type latch as a “mixer” produces a one bit digitized sine wave. In reality it has squat entropy just looking for the values that represent the zero crossing point twice gives the rest of the sequence away via a very small search space.

Which is why you really have to encrypt the output of an RNG with a “keyed CS algorithm” in a “chaining mode” or similar. Where you change the key at a rate no less than N/2 or preferably way way more frequently (some suggest every short time period where the period is related to the rate you pull bits out of the RNG system).

As for what Linus “recommends” I’ve not looked because there are almost certainly better ways depending on what your trade-offs are.

Whilst speed and security are not the inverses of each other it’s close enough to a rule of thumb to be cautious about “fast algorithms” especially if they have “very small effective state”.

Time is random in small measures June 4, 2024 7:07 PM

@Wannabe Techguy

“Ok this wannabe doesn’t understand why the date and time is used for passwords. Can someone explain this in “dummy proof” language without being a smart ass?”

If I understand you correctly you want to know why some one was stupid enough to use “time”?

The answer is sadly one that keeps coming up. It happened in Netscape back in the 1980’s and has happened repeatedly all to often since.

The only thing that to a programmer changes continuously on a computer is time everything stays the same unless changed.

So time is incorrectly seen by many as being two things,

1, Constantly changing.
2, Never repeating.

Well… There was talk of a “negative leap second” not so long ago

https://en.wikipedia.org/wiki/Leap_second

That might happen in 2029. Which would break both notions. But contrary to what many think time does not ever “change constantly” with digital clocks no matter how fast they tick. Even more fun time changes at different rates depending on where you are and how you move with respect to another point in space hence “inertial time frames” are one of those “just let me cover my ears” things. For a philosophical view point

https://plato.stanford.edu/entries/spacetime-iframes/

But remember they effect the way your mobile phone amongst other everyday technology we take for granted works…

If you are writing a computer game then using a simple encryption of time as a seed for the game PRNG was fine back in the 1980’s so each game you played was effectively different.

But from a security aspect using time no matter how you encrypt it is really very very silly.

Because “files have file times” and “locations in file systems”. So if the output of the password generation is written to a file as frequently happens then an attacker has a start point to do a “dictionary attack” over a very small search space. Even if the file is deleted the hole it leaves in the file system gives the time fairly well.

Keri B June 4, 2024 7:31 PM

@Time is random in small measures,

Parts of your comment went a bit over my head. But to your point that it only looks random to the adversary… isn’t that sufficient? By definition, if I were worried about attacks by any other party, they’d be my adversary (one of them).

More concretely, let’s say I use 256 reasonably fair coin flips to generate a ChaCha20 key, and hand out subsequent bits of the keystream whenever any of my software requests entropy. If the implementation is correct and the key (and derived internal state) doesn’t leak, what are the attacks, and how practical are they?

From my point of view, Fortuna looks a lot like a stream cipher, with the extra property that one can arbitrarily feed in untrusted data to transform the “key”. I’m not aware of anyone having ever compromised it (that is, predicted its output, again assuming no state-leaks) once it’s accumulated “enough” entropy; even if it’s never re-seeded.

@echo,

I have to assume you’re talking about me. I’m not Clive, nor a Clive impersonator (the handle not saying “Clive” should be a dead giveaway), nor a participant in the threads you mention. And I feel like this business of the comments being full of accusations and counter-accusations is getting out of hand. Perhaps Bruce should provide an out-of-band channel for complaints about comments.

The only reason I’m even typing a name is because the blog doesn’t have comment-threading enabled, and people may wish to direct replies to me (and, hence, the blog guidelines request that people provide names). They change so that Google and other web-crawlers can’t easily make a dossier of everything I’ve ever written here, nor link it to comments elsewhere. They’re feminine if that’s what my random name-generator spits out that day. I’m sure I’m not the only one doing this, because there are lots of programs and sites to generate names randomly, and I didn’t create any of them.

Time is random in small measures June 5, 2024 7:41 AM

@ Keri B

“But to your point that it only looks random to the adversary… isn’t that sufficient? By definition, if I were worried about attacks by any other party, they’d be my adversary (one of them).”

Err no, “my adversary” is a very limited subset of “Attackers”.

Consider, you write a program, presumably not just for your use.

Then anyone attacking your program is attacking all your users as well as you.

Those who attack in a more systematic way are attacking an even wider group of people.

Those who attack things in a general way are like the NSA and other Five-Eyes they are attacking all on an industrialised basis.

It’s why in the past it’s been mentioned that attacking

  1. Implementations
  2. Interoperability
  3. Protocols
  4. National Standards
  5. Industry Standards
  6. International standards
  7. Legislation
  8. International treaties

Is more effective for the NSA the “further up the stack” they go.

But some attacks are very generic and very effective. Because they attack incorrect assumptions in security.

For example it does not matter what block-width the output of a block cipher is in bits, if the input alphabet is very small and in reality as little as one bit.

For example a “Command Line Interface”(CLI) menu system asking “y/n” as a response.

It’s one of the reasons nobody should use ECB as a mode but some chaining mode with changing IV for each new encryption session.

Hashes are in effect block ciphers with known key in ECB mode, they were never designed to protect data.

They are thus very vulnerable to “Dictionary Attacks” or “Rainbow Table attacks” that work against all “One Way Functions”(OWFs) no natter how strong when they are used with a limited input alphabet.

It’s why I said the NSA could easily attack the likes of the Intel on chip TRNG and similar that all used a D-type latch to sample one clock with another. You can prove graphically that a digitised sine wave results and if you actually feed it into an integrator or low pass filter, you get an extraordinary good sinewave as a result.

A sine wave crosses the zero axis twice thus it’s frequency is easily determined. Similarly it reaches other known points at known times. It’s a simple case of basic mathematics to determine the input to the hash from that point onwards and thus retain synchronisation by a simple staircase algorithm to search through a very very reduced search space.

So the TRNG is at that point broken and a known quantity to an attacker.

Thus in reality as the hash is unkeyed it provides no increase in security what so ever.

Hopefully that makes it a bit clearer?

But something else you need to consider.

‘Ever heard of PUFs or “Physically Unclobable Functions”?’

In short, when you power up semi-conductors such as logic gates they come up in more or less the same value every time.

This was noted by researchers who then found a way to make it like a random serial number on a chip.

You mention

“Linus’s proposal seems to be to read the hardware PRNG on startup, to seed the kernel’s.”

Depending on how it is done this might be an extraordinarily bad idea due to the effective PUF problem at start-up giving a very small range of values easily within range of a search strategy.

whatdoiknow June 6, 2024 1:06 AM

Which is why, for important accounts, I take the randomly generated password created by the password manager, and switch an arbitrary character before saving it.

Embedded Developer June 6, 2024 2:28 AM

@Keri B
“I suspect would almost never be useful to a programmer”

Regarding getting random numbers out of independent clocks, I’ve done this using the method described in

https://www.ti.com/lit/pdf/slaa338

My implementation passed the FIPS 140-1 tests, but only when running the chip at 3.3V.

It’s not for a cryptographic application, but then I wouldn’t roll my own if it were.

Time is random in small measures June 6, 2024 6:37 AM

@Embedded Developer
@Keri B

“Regarding getting random numbers out of independent clocks, I’ve done this using the method described in…”

The method described in the Texas Instrument Application Note is a basic “Roulette / Waggon wheel” system I’ve described the deficiencies of above already.

You can see this in the top of fig.1 (in the app note) especially clearly if you remove the divider. What is described as the “Timer_A” is in effect the equivalent of a D-Type latch and digital integrator. This output of Timer_A with the divider removed is the only part of the circuit where the entropy of the two oscillators is found in the all important “raw state” needed for testing.

In the bottom right corner if configured correctly the XOR gate acts as a Von Newman de-bias circuit. The rest of the diagram is just a deterministic system to add predictable “jitter”.

Whilst section “3. Adding Randomness” might appear to be doing this, I can assure you it is not. What it is doing is simply adding “modulation” in the form of “Deterministic Jitter”. If you doubt this then trace things back and you will discover that it is all “fully interdependent and deterministic”

In short it is the “magic pixie dust” thinking that usually adds a high gate count “CS Algorithm” like a “Hash Function” to the output of an RNG with little or no entropy output.

This TI RNG is another case of “designed to beat the test”.

The FIPS 140-2 published tests are known to be at best “low water mark” tests. Or to put it another way,

‘Passing FIPS does not indicate randomness in your generator. However failing FIPS most definitely indicates a lack of randomness in your generator.’

Have a read of,

https://pure.royalholloway.ac.uk/en/publications/on-the-unbearable-lightness-of-fips-140-2-randomness-tests

They show several “designed to beat the test” RNG’s one of which is deliberately backdoored.

I would say “trust me when I say”

‘Using this Texas Instruments RNG for anything even remotely security related would be “severely contra-indicated’

But I would rather people learned why I say it thus could see other “designed to beat the test” RNGs.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.