Ok, sorry, I had to grab your attention. I have seen an increase of misinformation out there so I wanted a place in general to talk about this. There are rumors out there that Blizzard's Authenticator has been hacked. The only method I am aware, of based on the underlying protocols used, in which your account can be compromised is what is known as man-in-the-middle attack (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) or some form of social engineering. I would like sure with you some technical details which you might find interesting.
1. Blizzard's tokens are made by Vasco and are part of their DIGIPASS GO 6 line of authenticators (http://www.vasco.com/products/digipass/digipass_go_range/digipass_go6.aspx)
2. This is not RSA's technology but it is similar. To quote from a knowledgeable source I found on Elististjerks (http://elitistjerks.com/f15/t27560-blizzard_authenticator/p5/) site.
3. The code generated is based on a random seed generator plus the time (the authenticator has a built-in clock). For more on random seed generators, please read - http://en.wikipedia.org/wiki/Hardware_random_number_generator
4. The crypto algorithm used is rumored to be either the 3DES or AES (http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-glossary.html#des). Both of these algorithm's are actively in use by the US Military and various Intel agencies.
5. Blizzard's authenticator is one layer of security, it is no substitute for safe computing. Please read the following from Blizzard's support forums for more details - http://forums.worldofwarcraft.com/thread.html?topicId=24702231244&sid=1
I would like to share the following from an older ZDNet article I had which explains a bit about "breaking" these protocols.
http://www.zdnet.com/blog/ou/is-encryption-really-crackable/204
"The last big factor in encryption myths and bit size inflation is salesmen and marketers because bigger numbers always sound nicer. I’ve had salesmen come in to my office and try to tell me that RSA or AES encryption was worthless and that I should be using their product which uses some kind of 1000 bit wonder-crypto solution. All it takes is one company to try and out do their competitors and pitch their products using 4096-bit RSA and the next company will come along and pitch 16384-bit RSA keys in their product. Many IT consultants will shy away from quoting smaller bit sizes because they’re afraid to be out done by their competitors.
Ah, but what about the dreaded massively distributed cracking brute force method for attacking something like 128 bit RC5 encryption? There are massive zombie farms of infected computers throughout the world and some may have gotten as big as 1 million infected computers. What if that entire army was unleashed upon the commonly used 128 bit RC5 encryption? Surprisingly, the answer is not much. For the sake of argument, let’s say we unleash 4.3 billion computers for the purpose of distributed cracking. This means that it would be 4.3 billion or 2 to the 32 times faster than a single computer. This means we could simply take 2 to the 128 combinations for 128-bit encryption and divide it by 2 to the 32 which means that 2 to the 96 bits are left. With 96 bits left, it’s still 4.3 billion times stronger than 64 bit encryption. 64 bit encryption happens to be the world record for the biggest RC5 bit key cracked in 2002 which took nearly 5 years to achieve for a massive distributed attack.
Now that we know that the distributed attacks will only shave off a few bits, what about Moore’s law which historically meant that computers roughly doubled in speed every 18 months? That means in 48 years we can shave another 32 bits off the encryption armor which means 5 trillion future computers might get lucky in 5 years to find the key for RC5 128-bit encryption. But with 256-bit AES encryption, that moves the date out another 192 years before computers are predicted to be fast enough to even attempt a massively distributed attack. To give you an idea how big 256 bits is, it’s roughly equal to the number of atoms in the universe!"
Please share any sources you may have come across. I am truly interested in this topic and have several crypto books in my library (don't ask cause I actually don't like math).
1. Blizzard's tokens are made by Vasco and are part of their DIGIPASS GO 6 line of authenticators (http://www.vasco.com/products/digipass/digipass_go_range/digipass_go6.aspx)
2. This is not RSA's technology but it is similar. To quote from a knowledgeable source I found on Elististjerks (http://elitistjerks.com/f15/t27560-blizzard_authenticator/p5/) site.
3. The code generated is based on a random seed generator plus the time (the authenticator has a built-in clock). For more on random seed generators, please read - http://en.wikipedia.org/wiki/Hardware_random_number_generator
4. The crypto algorithm used is rumored to be either the 3DES or AES (http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-glossary.html#des). Both of these algorithm's are actively in use by the US Military and various Intel agencies.
5. Blizzard's authenticator is one layer of security, it is no substitute for safe computing. Please read the following from Blizzard's support forums for more details - http://forums.worldofwarcraft.com/thread.html?topicId=24702231244&sid=1
I would like to share the following from an older ZDNet article I had which explains a bit about "breaking" these protocols.
http://www.zdnet.com/blog/ou/is-encryption-really-crackable/204
"The last big factor in encryption myths and bit size inflation is salesmen and marketers because bigger numbers always sound nicer. I’ve had salesmen come in to my office and try to tell me that RSA or AES encryption was worthless and that I should be using their product which uses some kind of 1000 bit wonder-crypto solution. All it takes is one company to try and out do their competitors and pitch their products using 4096-bit RSA and the next company will come along and pitch 16384-bit RSA keys in their product. Many IT consultants will shy away from quoting smaller bit sizes because they’re afraid to be out done by their competitors.
Ah, but what about the dreaded massively distributed cracking brute force method for attacking something like 128 bit RC5 encryption? There are massive zombie farms of infected computers throughout the world and some may have gotten as big as 1 million infected computers. What if that entire army was unleashed upon the commonly used 128 bit RC5 encryption? Surprisingly, the answer is not much. For the sake of argument, let’s say we unleash 4.3 billion computers for the purpose of distributed cracking. This means that it would be 4.3 billion or 2 to the 32 times faster than a single computer. This means we could simply take 2 to the 128 combinations for 128-bit encryption and divide it by 2 to the 32 which means that 2 to the 96 bits are left. With 96 bits left, it’s still 4.3 billion times stronger than 64 bit encryption. 64 bit encryption happens to be the world record for the biggest RC5 bit key cracked in 2002 which took nearly 5 years to achieve for a massive distributed attack.
Now that we know that the distributed attacks will only shave off a few bits, what about Moore’s law which historically meant that computers roughly doubled in speed every 18 months? That means in 48 years we can shave another 32 bits off the encryption armor which means 5 trillion future computers might get lucky in 5 years to find the key for RC5 128-bit encryption. But with 256-bit AES encryption, that moves the date out another 192 years before computers are predicted to be fast enough to even attempt a massively distributed attack. To give you an idea how big 256 bits is, it’s roughly equal to the number of atoms in the universe!"
Please share any sources you may have come across. I am truly interested in this topic and have several crypto books in my library (don't ask cause I actually don't like math).
Last edited:
I feel secure again in my authenticator. Thanks!
![[7F]LarryBoy](/forums/data/avatars/m/1/1106.jpg?1442680067){kind=avatar}
