In February 2010 an industry leader announced that an APT attack had extracted information from their servers. Then in May the network at Lockheed experienced a ‘major disruption’ which was attributed in part to an attack leveraging that stolen information.
These attacks have inevitably raised questions amongst network security professionals as to whether OTP tokens are fundamentally flawed, or does the technology just need tweaking a bit. To answer that question it’s helpful to get a better understanding of how they work. One aspect, which my colleague Julian Lovelock has already blogged on is key management (see Jun 9, 2011: Are OTP tokens secure? It’s a good question, but not a great one.).
Another is the token algorithm itself.
It turns out there are different flavors of token algorithm, and they differ in the way they display the ever changing number. These variations influence both the way we use them and their security.
OTP algorithms normally are based on a static key (per device) and to make the numbers (OTPs) change use variables called ‘moving factors, often time, event or both:
Some tokens use a time based algorithm. The issue with time as a moving factor is obviously that it is a common variable across all devices and everyone in the world knows what the current time is. This means that if you can get to the key of a token and then you know the algorithm (secret sauce) and the current time, voila’ you can generate the changing number.
Some other tokens use a counter or event (the number of times a user presses the button to display the OTP) as the moving factor. This means that every token has a differing variable and hence for an attacker it is really difficult to predict what that number is for a particular token. The issue with a simple counter based OTP algorithms is that the OTP does not really expire so it is susceptible to phishing (receiving an alluring email tricking you into entering your OTP).
Which brings us to another category of OTP algorithms that use both time and counter and hence really combine the best of properties of both time and counter based tokens. In this case they are more difficult to phish and harder to predict as each token in real life has a differing counter, making a seed compromise much less effective.
So there you have it! There are actually different OTP tokens out there and by understanding the differences you can make an informed choice that if you want to replace a token with another you might actually want to ask for one that uses both time and event as moving factors.
For a more detailed analysis of how OTP works and what the differences are I published a paper a few years ago that you can find here – OTP and Challenge-Response Algorithms for Financial and e-Government Identity Assurance.