Security token

From Wikipedia, the free encyclopedia

Jump to: navigation, search
Several types of security tokens.
SecurID tokens from RSA Security designed as key fobs.
Token from VeriSign

A security token (or sometimes a hardware token, hard token, authentication token, USB token, cryptographic token[1], or key fob) may be a physical device that an authorized user of computer services is given to ease authentication. The term may also refer to software tokens.

Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.

Hardware tokens are typically small enough to be carried in a pocket or purse and often are designed to attach to the user's keychain. Some may store cryptographic keys, such as a digital signature, or biometric data, such as a fingerprint minutiae. Some designs feature tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. Special designs include a USB connector, RFID functions or Bluetooth wireless interface to enable transfer of a generated key number sequence to a client system.


[edit] Token types and usage

There are four types of tokens:

  1. Static Password
  2. Synchronous Dynamic Password
  3. Asynchronous Password
  4. Challenge Response

This article currently focuses on Synchronous Dynamic password tokens.

The simplest security tokens do not need any connection to a computer. The client enters the number to a local keyboard as displayed on the token (second security factor), usually along with a PIN (first security factor), when asked to do so.

Other tokens connect to the computer using wireless techniques, such as Bluetooth. These tokens transfer a key sequence to the local client or to a nearby access point.

Still other tokens plug into the computer. For these one must:

  1. Connect the token to the computer using an appropriate input device
  2. Enter the PIN if necessary

Depending on type of the token the computer OS will now either

  • read the key from token and perform cryptographic operation on it or
  • ask the token's firmware to perform this operation

A related application is the hardware dongle required by some computer programs to prove ownership of the software. The dongle is placed in an input device and the software accesses the I/O device in question to authorize the use of the software in question.

[edit] Minimum requirement

The minimum requirement of any token is at least an inherent unique identity in a protected memory that cannot be tampered and preferable is not openly accessible by other application but that original method offered by the token vendor or any trusted organization.

[edit] Digital signature

Trusted as a regular hand-written signature, the digital signature must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof for the user’s identity.

For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as digital signatures according to some national laws.[citation needed] Tokens with no on-board keyboard or another user interface cannot be used in some signing scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.

[edit] Embodiments and vendors

Tokens can contain chips with functions varying from very simple to very complex, including multiple authentication methods. Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified as FIPS compliant. Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by 3rd party agencies.

[edit] Disconnected tokens

Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a keyboard or keypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.[2]

[edit] Connected tokens

Connected tokens are tokens that must be physically connected to the client computer. Tokens in this category will automatically transmit the authentication info to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication info. However, in order to use a connected token the appropriate input device must be installed. The most common types of physical tokens are smart cards and USB tokens, which require a smart card reader and a USB port respectively.

[edit] BestBuy Deluxe Ltd's BesToken

BesToken is a USB-based strong two-factor authentication device that can be used for identity management and access control. The device includes a built-in smart card with 128 KB (64 KB user space) data capacity and is powered by a 100 MHz RISC SOC CPU along with a multiplication coprocessor. Its features include hardware RSA, DES, 3DES, SHA-1, and MD5 calculation, hardware RNG, and support for PKCS #11, Microsoft CryptoAPI, X.509 v3 certificate storage, SSL v3, IPSec, and is ISO/IEC 7816 compliant. BesToken also ships with software that supports single sign-on, digital signature, multi-level accessing privilege, network log-on and PKI applications.[3]

[edit] SmartCards

Many connected tokens use SmartCard technlogy. SmartCards can be very cheap (around tens of cents) and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of SmartCards is often rather limited because of extreme low power consumption and ultra thin form-factor requirements.

[edit] Contactless tokens

Contactless tokens are the third main type of physical tokens. Unlike connected tokens, they form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result contactless tokens are a popular choice for keyless entry systems and electronic payment solutions such as Mobil Speedpass, which uses RFID to transmit authentication info from a keychain token. However, there have been various security concerns raised about RFID tokens after researchers at Johns Hopkins University and RSA Laboratories discovered that RFID tags could be easily cracked and cloned.[4] Another downside is that contactless tokens have relatively short battery lives; usually only 3-5 years, which is low compared to USB tokens which may last up to 10 years.[citation needed] Though some tokens do allow the batteries to be changed, thus reducing costs.

[edit] Bluetooth tokens

Bluetooth tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (10 meters). If the Bluetooth is not available, the token must be inserted into a USB input device to function.

[edit] GSM cellular phones

A new category of T-FA tools allows users to utilize their mobile phone as a security token. A Java application installed on the mobile phone performs the functions normally provided by a dedicated token. Other methods of using the cell phone include using SMS messaging, instigating an interactive telephone call, or using standard Internet protocols such as HTTP or HTTPS.

Such a method can simplify deployment, reduce logistical costs and remove the need for separate token devices.[citation needed] In the case of SMS options, there are trade-offs: users may incur fees for text messages or for WAP/HTTP services.

[edit] Single sign-on software tokens

Some types of Single sign-on (SSO) solutions, like enterprise single sign-on, use the token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned.

[edit] Related authentication technologies

[edit] Enterprise single sign-on

Some Enterprise single sign-on (E-SSO) solutions uses security tokens.

[edit] Two-factor authentication (T-FA)

Security tokens provide the "what you have" component in two-factor authentication and multi-factor authentication solutions. Some tokens provide up to three factors of authentication [5]

[edit] One-time passwords

A one-time password is a password that changes after each login, or changes after a set time interval.

[edit] Mathematical-algorithm-based one-time passwords

Another type of one-time password uses a complex mathematical algorithm, such a hash chain, to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known. The open source OATH algorithm is standardized, other algorithms are covered by U.S. patents.

[edit] VeriSign

VeriSign Unified Authentication uses the OATH standard. VeriSign Unified Authentication OEM is Aladdin Knowledge Systems.

[edit] Deepnet Security

Deepnet Security's Deepnet Unified Authentication Platform product.

[edit] Aladdin Knowledge Systems’ eToken NG-OTP

The Aladdin Knowledge Systems' eToken NG-OTP is a hybrid USB and one-time password token. It combines the functionality of smart card based authentication tokens with one-time password user authentication technology in detached mode.

[edit] ePass OTP Authentication System

ePass OTP Authentication System from Feitian Technologies Co., Ltd. involves three components: the ePass OTP token, ePass OTP Authentication Agent and ePass OTP Authentication Server. The ePass OTP Authentication System is able to create event-based two-factor authentication security by using a dynamically generated one-time password, also able to combine the dynamically generated one-time password with an existing static password.

[edit] Yubico YubiKey

The YubiKey, manufactured by Yubico, is a device that acts as a USB keyboard and provides secure authentification by a one-time password algorithm.

[edit] PhishCops Virtual Tokens

Virtual Tokens are a new concept in multi-factor authentication first introduced in 2005 by security company Sestus Data. Virtual tokens work by sharing the token generation process between the internet website and the user's computer and have the advantage of not requiring the distribution of additional hardware or software. Virtual tokens are also immune to trojans and man-in-the-middle type fraud. Virtual tokens are patented and are marketed under the name PhishCops.

[edit] Time-synchronized one-time passwords

A time-synchronized one-time passwords change constantly at a set time interval, e.g. once per minute. To do this some sort of synchronization must exist between the client's token and the authentication server. For disconnected tokens this time-synchronization is done before the token is distributed to the client, other token types do the synchronization when the token is inserted into an input device. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized.[citation needed] However, some such systems, such as RSA's SecurID, allow the user to resynchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 3 years before having to be replaced - so there is additional cost.

[edit] Event-based Token

An event based token, by its nature, has a longer life span.[citation needed] They work on the one-time password principle and so once used, the next password is generated. Often the user has a button to press to receive this new code via either a token or via an SMS message. All CRYPTOCard's tokens are event-based rather than time-based.

[edit] Booleansoft

Booleansoft tokens synchronize with the authentication server when inserted into an input device like a USB input device or a CD-ROM drive. US patent pending technology.

[edit] Aradiom SolidPass

SolidPass, developed by Aradiom, is a mobile java phone based security token that provides a time-based one-time password algorithm for secure authentication, and also offers challenge response based signing including transaction signing and additional security question.

[edit] BRToken SafeSIGNATURE

SafeSIGNATURE token, developed by the Brazilian company BRToken, was one of the first to provide support for the TOTP algorithm, defined by the OATH (Initiative For Open Authentication), an extension of the HOTP algorithm, but time-based. It also has the capacity of reading transaction data from any type of screen or projection, displaying in the token screen, and generating an Electronic signature, based on the public OCRA algorithm.

[edit] CAT (Cellular Authentication Token)

The CAT token, developed by the New Zealand company Mega AS Consulting Ltd, was the first to market a Cellular J2ME based soft token. The CAT uses an OATH compliant time-based one-time password (TOTP) algorithm for strong authentication, and also offers encrypted messaging and encrypted documents delivery system. The CAT is a multi tokens management system. Using a unique process, the CAT is secured on the Cellular device (or PDA, Blackberry, Windows OS).

[edit] Entrust IdentityGuard Mini Token

Entrust offers two variants of their OTP token — Entrust IdentityGuard Mini Token OE and Entrust IdentityGuard Mini Token AT. The Entrust IdentityGuard Mini Token OE provides event-based, one-time passwords using the standards-based HOTP algorithm endorsed by the Initiative for Open Authentication (OATH), providing compatibility with third-party software. The Entrust IdentityGuard Mini Token AT offers time- and event-synchronous, one-time passwords based on the stronger DES/3DES algorithm.

[edit] RSA Security's SecurID

RSA Security's SecurID displays a number which changes at a set interval. The client enters the one-time password along with a PIN when authenticating. US patented technology.

[edit] Vasco's DigiPass

VASCO's Digipass series have either a small keyboard where the user can enter a PIN or either a single button, in addition it generates a new one-time password after a pre-set time. US patent: 4599489 and 4609777.

[edit] KerPass UST

KerPass provide time synchronous OATH one time passwords on mobile phone. A new password is generated every 30 seconds. KerPass uses an exclusive server side password validation technology that makes possible using a KerPass password in the context of zero knowledge password proof algorithm like SPEKE or SRP. This combination renders password authentication insensitive to man in the middle attacks.

[edit] Secure Computing's Safeword

Secure Computing's Safeword is a hardware device that will display a passcode when pressing a button on the device. A barcode and serial number on the back of the device are used by administrators to synchronize the devices with the authentication system. The Safeword system can be event-based or time-based. Each press of the button will display a new passcode and once a passcode is used for authentication, combined with the user's PIN, it and all the passcodes generated before it can not be reused again. Time-based tokens display different tokens every 20 seconds or less depending on how the user wants it.

[edit] Smart DisplayCard

The Smart DisplayCard by ActivIdentity is a combination security token and smart card. A single button on the card displays a one time password on a small liquid crystal display when pressed. This device uses an OATH compliant event-based algorithm to generate OTPs. The embedded smart chip provides standard smart card PKI capabilities; typically email encryption and digital signatures.

[edit] PC cards

The PC card tokens are made to only work with laptops. Type II PC Cards are preferred as a token as they are half as thick as Type III.

[edit] Mykotronx Corp.

Mykotronx Corp. (a division of SafeNet) makes the Fortezza card token for laptops with a PC card.

[edit] Smart cards

Smart cards are relatively inexpensive compared to other tokens.[citation needed] There are also significant wear-and-tear on the smart cards themselves because of the friction on the electronic contacts the card is inserted. This has the potential to reduce the lifespan of a smart card token.

[edit] Universal Serial Bus (USB)

The Universal Serial Bus has become a standard in computers today, USB tokens are therefore often a cheaper alternative than other tokens needing a special input device.[citation needed]

[edit] Booleansoft

Booleansoft has several types of USB tokens, some including fingerprint biometrics. Each client that requires secure authentication is supplied with a personal security token. When the USB token is inserted into an PC's USB port, a software program stored on the token (called the 'token software') is then automatically started. The token software lets the user generate new one-time passwords and digital signatures to access a remote resource for authentication purposes.

[edit] VeriSign

VeriSign offers several different token types, from security cards to voice passcodes, as part of their their Unified Authentication services.[6][7] A custom-branded version of their One-Time Password (OTP) Token is used by PayPal and eBay as an extra layer of authentication for consumers when logging in to their websites.[8]

[edit] Smart Card Based USB tokens

Smart-card-based USB tokens which contain a smart card chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the computer operating system's point of view such a token is a USB-connected smart card reader with one non-removable smart card present.[9]

[edit] Other token types

Some use a special purpose interface (e.g. the crypto ignition key deployed by the United States National Security Agency). Tokens can also be used as a photo ID card. Cell phones and PDAs can also serve as security tokens with proper programming. Booleansoft provides CD tokens, some the size of a standard credit cards.

[edit] See also

[edit] References

  1. ^ PKCS -- The RSA standards PKCS#11 and PKCS #15 define software interfaces.
  2. ^ de Borde, Duncan (2007-06-28). [ "Two-factor authentication"]. Siemens Insight Consulting. Retrieved on 2009-01-14. 
  3. ^ BesToken (2007-10-03). "BesToken: A White Paper". Retrieved on 2009-01-14. 
  4. ^ Biba, Erin (2005-02-14). "Does Your Car Key Pose a Security Risk?". PC World. Retrieved on 2009-01-14. 
  5. ^ "GoldKey Security Token". GoldKey Security Corporation. Retrieved on 2008-10-29. 
  6. ^ Photos of Verisign Tokens, (retrieved 15 Aug 2008)
  7. ^ Two Factor Authentication Credentials, (retrieved 15 Aug 2008)
  8. ^ PayPal Security Key, (retrieved 15 Aug 2008)
  9. ^ Specification for Integrated Circuit(s) Cards Interface Devices,
General references

[edit] External links

Personal tools