Predictable serial number attack
A predictable serial number attack is a form of security exploit in which the algorithm for generating serial numbers for a particular purpose is guessed, discovered, or reverse engineered, a new serial number is predicted using the algorithm, and the newly generated serial number is then used for a fraudulent purpose, either to obtain an undeserved benefit or to deny service to the legitimate holder of the serial number.
Example
[edit]Suppose there is a phone card available for sale that offers telephone service by entering the serial number printed on the card. Alice legitimately purchases a phone card in order to call Bob, and her card has the serial number 0003. The attacker, Mallory, also purchases two phone cards, and notices that the serial numbers printed on her phone cards are 0001 and 0002. After consuming the value on cards 0001 and 0002, Mallory guesses the algorithm used for generating these serial numbers is a simple sequence and predicts that 0003 is a valid serial number, enters 0003 when prompted, and gets additional phone service. When Alice tries to use her card she discovers the value has been stolen from it and it is now worthless.
Countermeasures
[edit]A common approach to prevent predictable serial number attacks is to use a cryptographic hash function such as SHA-2 to generate the actual serial numbers. Internally, the issuing organization creates a (pseudo-)random nonce as a salt for generating the serial numbers, and keeps it secret. The issuer increments their internal serial number and appends it to the salt, and the computed message digest is used to create the actual serial number. The issuer does have to take care to prevent collisions between existing values so as not to wrongly issue two identical serial numbers.
Known attacks
[edit]- Predictable serial numbers were used as a part of the counterfeit MD5 certificate attack.[1]
- An iPod repairman guessed valid serial numbers and used them to perpetrate a fraud against Apple.[2]
See also
[edit]- Denial of service
- Hash collision
- Basic access control § Security: Dutch and German passport numbers, which functions as part of biometric passport decryption keys, were made no longer sequential to increase the difficulty of wirelessly reading the passport holder's information without permission.
- German tank problem § Historical problem
References
[edit]- ^ Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger. "MD5 considered harmful today", December 30, 2008, accessed March 24, 2009
- ^ White, Ed. "Michigan iPod repairman charged with fraud", March 19, 2009, Boston Globe, accessed March 24, 2009. Archived March 24, 2009, at the Wayback Machine