RSA Compromise concerns about authenticators

85 Goblin Priest
7145
This morning, a friend of mine forwarded me an article posted on Securosis yesterday. This article highlights an attack on RSA which resulted in data loss and they're saying that SecureID customers may be at risk.

As far as I'm aware, the Blizzard Authenticator operates using RSA tokens. While I doubt any group with the sophistication necessary to pull off a successful APT attack on RSA would be interested in World of Warcraft accounts, I do have my concerns that the people responsible may publish their findings and the keys generated by our authenticators may become useless.

I realize it's still early in this whole deal and that even RSA doesn't know exactly what happened or what all was even compromised. I just wanted to share my concern.

I didn't want to link directly to any articles, but you can find any information on this you want with some basic web searches.

Reply Quote
Support Forum Agent
Pokzin,

The Blizzard Authenticators are based off modified Vasco tokens. I'm sorry to hear about RSA's troubles, but it will not affect the Blizzard Authenticator.
________________________________________________
Technical Support
Want to speak with someone directly? http://us.blizzard.com/en-us/company/about/contact.html

How's my driving? https://www.surveymk.com/s/R5D3LCF
Edited by JonD on 3/18/2011 9:58 AM PDT
Reply Quote
85 Goblin Priest
7145
That's excellent news. Thanks for the info!
Reply Quote
100 Human Warlock
16245
The battle.net authenticators are based off of the digipass go 6 model. Its the name on the back of your key fob. You can read up on it at http://www.vasco.com/products/digipass/digipass_go_range/digipass_go6.aspx
Reply Quote
85 Tauren Druid
5435
The worst case scenario is likely to be a list of seed numbers being compromised, To make use of this, a hacker would still need to determine which of the seed value belongs to your device. To do that, he will need to observe you entering the code a few times, recording the number and time it was entered. Then he would do an exhaustive search through the seed numbers list and use the algorithm to determine which one matches the recorded data. Once he has your seed number, he can enter your account anytime.

It's not a trivial exercise, so it's questionable whether it's worth the effort for a hacker to do this.

Reply Quote
85 Tauren Druid
12605
The information that can be cleaned from the hashing method that they stole from RSA allows them to generate the proper code for the RSA authenticators after gathering enough information for the salt(s) (information such as serial#).

Iirc, the hashing method the Blizzard authenticators use was cracked, and there are various tools online that allow you to generate the proper code when you give them your serial number. This can be useful for personal use in case you lose your authenticator you can still generate codes to remove it and put a new authenticator on the account without having to go through customer support and any delays.

However as a warning, never use any of these programs you find that are from an untrusted source, come pre-compiled (could potentially be sending your serial away for malicious use) or even risk compiling them yourself if you do not understand the language it was written in (somewhere in that code it might send off the information still).

However even with the hashing methods known, having an authenticator is FAR greater protection that not having one. And as long as you don't give out your serial for the device to anyone other than official apps from Blizzard for use on devices such as your phone you should be safe. (:
Reply Quote
85 Goblin Mage
11120
03/18/2011 11:32 AMPosted by Xaylab
The actual RSA algorithm was not "compromised" nor was it hacked or beaten.

Last I recall it was still unknown if the code was compromised or not. Do you have a source stating that it wasn't?
Reply Quote
87 Blood Elf Paladin
11290
RSA can be cracked; it just takes forever to do it. It's actually a pretty simple algorithm.
Reply Quote
100 Tauren Druid
6600
This is why misinformation is so dangerous regardless of what a bilzz authentication is based on.

A product called "Secure ID" mad by a company called "RSA Security" was compromised.

RSA Security, makers of SecurID and one of the country's leading security firms, has said that hackers "extracted" data related to SecurID.



The actual RSA algorithm was not "compromised" nor was it hacked or beaten.

You can read about the actual RSA algorithm here.

http://en.wikipedia.org/wiki/RSA

In other news my local weather station said "Blizzard" was coming to my house. How sad i was when Bashiok did not knock on my door.... If only I had read and comprehended better.


Ah thanks for the clarification. First thought that went through my head was what the hell is this guy talking about, a correctly implemented RSA can't be cracked by any computer we have built so far.
Reply Quote
87 Blood Elf Paladin
11290
03/18/2011 2:17 PMPosted by Rockmnna
Ah thanks for the clarification. First thought that went through my head was what the hell is this guy talking about, a correctly implemented RSA can't be cracked by any computer we have built so far.


RSA can be cracked. However, as I said above it takes forever. A team recently cracked a 768-bit RSA encrypted message; it took their cloud 2 1/2 years to get the prime factorization.
Reply Quote
27 Blood Elf Warlock
0
Iirc, the hashing method the Blizzard authenticators use was cracked, and there are various tools online that allow you to generate the proper code when you give them your serial number. This can be useful for personal use in case you lose your authenticator you can still generate codes to remove it and put a new authenticator on the account without having to go through customer support and any delays.


No, it wasn't cracked - it is simply available. Those tools do not use the serial number. They require the seeds + SN, which you do not have for your authenticator. They can emulate a new authenticator, but you cannot use them to duplicate an existing one without additional information & it doesn't really help you to go backwards from observed codes.
Reply Quote
85 Draenei Hunter
6075
The Blizzard Authenticators are based off modified Vasco tokens. I'm sorry to hear about RSA's troubles, but it will not affect the Blizzard Authenticator.


This is reassuring, thank you JonD.
Reply Quote
3 Undead Warlock
0
03/19/2011 7:01 AMPosted by Blastpack
this thread is absolutly saturated by nerds nerding it up in their nerdry.


Yes, almost as nerdy as the thread you started asking about the same thing and wanting a Blue to post, while this one was on the front page. Glad you made it here though.
Edited by Zardeth on 3/19/2011 7:14 AM PDT
Reply Quote
85 Tauren Druid
5435
Don't confuse RSA Security and RSA Algorithm. RSA Securities was compromised. The RSA Algorithm has not been compromised yet although it's susceptible to the usual side channel and brute force attacks. RSA keyfobs do not use the RSA Algorithm - doesn't make sense to, since the RSA algorithm is used for Public Key Cryptography, while keyfobs use Cryptographic Hash.
Reply Quote
88 Troll Priest
0
And while all you guys are talking about the RSA problem, the blizz dev accidently leaked the info on the company token they actually use.

Face Palm.
Reply Quote
88 Troll Priest
0
Honestly I never even looked for it till now, your right it is linked on the back but its imbeded in the back and not actually on the serial number sticker.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]