The Heartbleed Bug – Need for a MO (Mobile-Originated) Authentication

The Heartbleed bug provides an opportunity for a hacker to break into your SSL connection and steal information that you thought was private.

The following items can be stolen and no trace left of the attack:

  1. The UserIDs and Passwords of users logging onto the system.
  2. The secret encryption keys of X.509 certificates. X.509 certificates are the certificates that are issued to enable SSL on web sites. If you have the X.509 key, you can create your own SSL connection into a service.
  3. Whatever business information is available on a server after you crack into it with your stolen UserID and Password.
  4. If you have the X.509 encryption keys, you will be able to decrypt any SSL traffic that you sniff. You will still be able to do this even after the bug has been fixed. You will be able to do this until the encryption key is changed. So you would be  able to continue sniffing UserIDs and Passwords until the certificate is re-issued.

Who is affected?

This is a list of the most commonly affected applications:

  • The Apache and nginix web servers
  • The following operating systems:
  • Many routers, firewalls and switches from both Cisco Systems and Juniper Networks
  • Network appliances from a number of manufacturers. One of the most common types of network appliances are VPN appliances.
    • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
    • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
    • CentOS 6.5, OpenSSL 1.0.1e-15
    • Fedora 18, OpenSSL 1.0.1e-4
    • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
    • FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
    • NetBSD 5.0.2 (OpenSSL 1.0.1e)
    • OpenSUSE 12.2 (OpenSSL 1.0.1c)

How are multi-factor authentication systems affected?

  1. MT (Mobile-Terminated) style authentication systems: Since the key in MT systems comes to your cell phone and then is entered on the web site, the key is just as easy to steal as the UserID and Password. If the key provider has any kind of re-use ability of the key, the attacker can gain access using the stolen key.
  2. TextKey, a patent-pending MO (Mobile-Originated) style authentication system: Since the key is displayed on a browser window and must be texted from a registered cell phone, it is lot more secure than all the other MT systems.
    • A hacker can steal the key displayed on the browser window, they can even steal an optional person PIN that needs to precede or follow the key, but they cannot steal the cell phone number. They need the cell number to authenticate.
    • Easy access schemes have great advantages in MFA schemes because they are useful in many cases where the company is willing to trade some security for convenience. TextKey can handle these with very little loss of security. MT schemes that employ re-use are completely compromised by something like Heartbleed.
    • All TextKey authentications modes require the Cell Number. The raw cell phone number would never be passed along the same connection as the UserID and password. TextKey provides a Cell Phone Number Proxy in cases where the cell phone number needs to be passed along. A cell phone number proxy is a long 128 bit number that doesn’t look like a cell phone number at all. There is an API call to create a cell phone number proxy but that API connection must use a totally separate connection than the one to the user. There is no API call to translate a cell phone number proxy back to a cell phone number.

TextKey is inherently more invulnerable to things like the Heartbleed bug because it’s authentication occurs on a totally separate and a totally different type of network (the cellular network). The Heartbleed  bug does not affect the cellular network.