Security Highlight: A Journey to Titan
In a 2021 study, NinjaLab broke the secure crypto implementation of Google’s two-factor authentication token Titan, exposing a threat to users. Using multiple advanced attack techniques, NinjaLab successfully reverse-engineered a complex cryptographic system, found a side channel vulnerability, and recovered the private key.
Titan uses ECDSA, a signing algorithm based on elliptic curve cryptography. NinjaLab studied both the private signing operation and the public verification mechanism to explore the application of various potential implementation variations and security measures. Assuming that the private key operation would be better protected than the public one, the protection mechanisms could be identified while comparing private and public key operations. After building their implementation model, NinjaLab started leakage measurements and discovered a vulnerability that could leak partial information of a secret nonce.
By clustering the leaked data, they were able to establish the approximate value of some nonce bits. Although a complete nonce allows recovery of the private key, this is not trivial for partially known nonces since they are randomly chosen for each signature. The researchers applied a Lattice attack to resolve incomplete equations, ultimately yielding the complete key.
Two-factor authentication uses strong crypto to provide added security to sensitive applications and services. Breaking a two-factor solution potentially threatens the security of many applications, generally undermining public trust in this kind of technology.
It is noteworthy that the product’s chip had been certified according to the highest security standards (although the certificate expired). This shows that certification is a snapshot representing the state-of-the-art attack techniques but only provides assurance until the next attack comes along. Therefore, this event underlines the importance of assurance maintenance by periodically reviewing the product security against the newest threats and conditional renewal of its certificate, as well as integrating products that are being actively maintained and have an unexpired certificate.
Even though the Titan two-factor can be broken with physical access to the token, it is a considerable effort requiring knowledge, time, and equipment. Using this weakened solution is still better than the absence of two-factor authentication. Users of the token can protect themselves by always keeping the token in their possession, preventing others’ access. If a token is lost, consider it compromised and replace it with another token. As long as an attacker cannot get the combination of username, password, and token, the account is secure.
The product most likely cannot be patched, as the vulnerability resides deep in the chip’s design. NinjaLab suggested additional countermeasures that could be implemented in newer versions of the chip. Such revisions must be evaluated and certified to ensure that the vulnerability is truly fixed and no further issues are introduced.