When we began work on our SmartDongle security key (www.smartdongle.com), our intentions were to create a device that would be an adequate deterrent to theft. While we understand that complete security is impossible in open systems like PCs, we wanted to make it hard enough to break that would-be hackers would look elsewhere. In an effort to show that our product was more than smoke-and-mirrors, we decided to open the kimono and submitted an article to Dr. Dobb's Journal that gave significant details on how our SmartDongle USB security key worked (www.ddj.com/security/184406281). This is always a scary proposition, but it was
especially fearsome based on the characteristics of DDJ readers. There are some real ferrets out there.
I was not disappsointed. Several readers responded with a variety of suggestions and judgements. The most common response we got from readers is that there are algorithms for determining the keys used in a linear congruential sequence (LCG) if successive values are known. The classic paper on the subject is "'Cracking A Random Number Generator" by James Reeds (www.dean.usma.edu/math/pubs/cryptologia/ ClassicArticleReprints/V01N1PP20-26JamesReeds.pdf). While there are many articles indicating how easy it is to find the keys given the sequence, the articles I read assume that the sequence is available. In our case, the sequence is not available. In the SmartDongle, each time a challenge is made, the starting point for that challenge comes from the free-running counter. This counter is changing quickly and is unknown to outside observers. The result is that users can observe Ln and Ln+1, but never Ln+2. While there may be effective algorithms available to use snippets of the sequence to find the keys, I wasn't able to find them.
Let's assume that enterprising intruders are able to analyze the data on the USB bus, collect a sufficient number of values, and apply the appropriate effort to determine the key values. Is the usefulness of the SmartDongle over? Not really. An intruder cannot use information to clone another key. It is impossible (even with that information) for a program communicating with a SmartDongle by using the correct keys to change the key values on the device. The keys are not stored in memory that can be accessed by any program, even if it knows the keys. The bottom line is that this approach cannot change a hardware key for product X to be modified to become a key for product Y.
Soon after the magazine hit the newsstands, I got a call from Mr. A, a computer-science student at a major university. He asked for free copies of the software and SmartDongle to use in a class project. I didn't feel it was wise to give a free pass to someone whose objective was to expose problems and publish his findings, so I graciously declined his request. Soon after, I got a request from Mr. B, a person who was willing to obtain the software and SmartDongle through the usual purchase procedure. As a matter of coincidence, Mr. A and Mr. B lived in the same city. It didn't take long to figure out that Mr. B and Mr. A were friends, and that the hardware and software had made their way to the computer-science student. As the end of the semester approached, I looked up Mr. A and asked what he had learned in his investigation of the SmartDongle. He was kind enough to send me a link to his report on which two students collaborated. The report describes their approach to solving the problem. They indicated that they made some progress in cracking the device, but that because of the inherent delays in the system, it didn't lend itself to an exhaustive search. It takes about 12 milliseconds per guess, and there are lots of guesses required. The paper said that it would take more than 900 million years to crack the SmartDongle. Happily, this is a timeframe we can live with.
Another issue that was brought forward from a different source deals with the fact that our challenge and response was a one-way challenge. The SmartDongle issues the challenge to the host and the host responds. It is only necessary for a fake SmartDongle to watch the USB wire for one successful challenge and response, and then it could always use the same number for the challenge. Knowledge is power, and we put the knowledge to work. We modified the drivers and SmartDongle firmware. Our new firmware requires that the challenge/response go both ways. First, the SmartDongle challenges the PC, and after that succeeds, the PC challenges the SmartDongle. This requires that a fake SmartDongle not only remember one successful conversation, but that it actually knows the keys so that it can make a response to the challenge made by the host.
We appreciate the review and feedback we received from DDJ readers. It has let us improve our product. Our software development customers didn't have to change their code, and the security is improved. We aren't so naïve as to believe that our approach provides an unbreakable solution, but we do believe that the time and effort required to crack and bypass the security is sufficiently high that intruders will look for easier targets.