12.2. Overview of Security Devices Security devices provide the "something I have" factor for authentication systems.[3] Passwords, an example of the "something I know" factor, lend themselves to a plethora of security attacks. Security devices can offer an alternative or, even better, a complement to the knowledge factor to increase security. [3] See Chapter 6, this volume.
Take, for example, the process of withdrawing cash from an ATM. You need to insert your card (the "something you have") and enter its corresponding PIN ("something you know"). Similarly, a security device lets you securely withdraw precious electronic resources, like logging into your laptop or accessing your company's private networks, from anywhere. There are a number of ways to categorize security devices. As you do with your ATM card, you need to carry your security device with you to access electronic resources. But, depending on the type of device, you may or may not need to physically insert it into your computer or a separate reader device. One way to distinguish among different security devices is according to whether they need to be physically plugged in, as follows:
Smart cards Smart cards[4] are among the smallest computers we currently handle in our daily life. Smart cards are essentially plastic credit cards that include an integrated circuit (IC) whose current computational power is similar to the desktop PCs of the 1980s.[5] However, smart cards must be plugged into a reader. Other kinds of security devices do not require a special reader. Universal Serial Bus (USB) tokens, for example, use the USB port built into most computers. [4] K. M. Shelfer and J. D. Procaccino, "Smart Card Evolution," Communications of the ACM 45:7 (2002), 8388.
[5] U. Flohr, The Smartcard Invasion (Byte, 1998).
One-time password (OTP) tokens OTP tokens [6] fall into the category of security devices that do not have to be plugged in. Similar in shape to a small pocket calculator, OTP tokens display authentication data that users type in manually. The authentication data changes each time a user authenticates (or, in some cases, after a designated small time interval regardless of whether an authentication has taken place)hence the name "one-time password" token. The fact that OTP tokens do not require a hardware reader means that they can be used with more kinds of computers than USB tokens canfor example, an airport Internet kiosk may not expose its USB ports to travellers. On the other hand, the fact that the user must physically type the value displayed on the OTP token can be an annoyance, make OTP tokens slower to use, and introduce the opportunity for transcription errors. [6] R. E. Smith, Authentication: From Passwords to Public Keys (Reading, MA: Addison Wesley, 2002).
Devices that must be plugged in can be further subcategorized: can they be plugged into an existing port on a typical laptop or desktop computer, or do they require a special reader? Passive storage versus active storage is an additional way to categorize security devices. Let's go back to our ATM card example: our "secret" authentication information is stored passively on the magnetic strip. On the other hand, OTP tokens and cryptographic smart cards embed a small computer that actively performs the computations needed for authentication. We can further subcategorize "active" security devices by considering their external cryptographic functionalities. OTP tokens, for example, provide no cryptographic functionality externally. Cryptographic smart cards, on the other hand, provide wider cryptographic services like random number generation and public key cryptography. Cryptographic smart cards can enable users to securely access systems based on public key cryptography. Desktop machine logon, Virtual Private Network (VPN) access, wireless client authentication, and email protection are just a few examples where smart cards enhance security. Indeed, examples like these are a current driving force for deployment of cryptographic devices such as smart cards.[7] [7] E. Messmer, "Microsoft Sold on Smart Cards," Network World [cited 03/22/2004]; http://www.nwfusion.com/news/2004/0322mssecurity.html.
Table 12-1 summarizes the classifications introduced so far and plots them against particular security devices. Table 12-1. A schematic classification of security devicesType of security device | OTP tokens | Smart cards | USB tokens |
|---|
Plug-in | No | Yes | Yes | Reader required | No | Yes | No | Active device | Yes | Yes | Yes |
With these general classifications in mind, we'll now describe four form factors of security devices (including biometrics devices, which do not appear in the table). Note, however, that we do not intend this to be a comprehensive list. 12.2.1. OTP Tokens Description: similar in shape to small pocket calculators, OTP tokens show on a small display the authentication code that the user must enter to authenticate. The code needs to change each time it is usedhence the name "one-time password" token. Classify as: no plug-in; no reader required; active device. Pros: no special hardware required. Cons: user must type the authentication code each time; can be used only for authentication; server and token may get out-of-sync. Product examples: RSA Security SecurID, Secure Computing SafeWorld. Additional comments: different form factors are available; for example, cellular phones can be used to compute and display the authentication data. "Sound" smart cards represent another example: they compute the authentication data, encode it as a sound sequence, and play it. This eliminates the need for the user to type the code, but introduces additional complexity in the client software.
12.2.2. Smart Cards Description: smart cards add an integrated circuit (IC) to the familiar plastic credit cards. The IC has a computational power similar to the desktop PCs of the 1980s. Classify as: plug-in; reader required; either passive storage or active device (depending on the integrated IC). Pros: form factor familiar to millions of people; low cost (but excluding the reader costs). Cons: require a reader; users can fail to insert the smart card properly in the reader. Product examples: Axalto CryptoFlex, Oberthur ID-One, Gemplus GemXpresso. Additional comments: different form factors are available (see the description of USB tokens next).
12.2.3. USB Tokens Description: USB tokens include both a smart card IC and a smart card reader in a single object. Classify as: plug-in; either passive storage or active device (depending on the integrated IC). Pros: no reader required; easy to plug in. Cons: existing tokens have a limited area for printing (hardly suitable as an ID document). Product examples: Aladdin eToken, Eutron CryptoIdentity. Additional comments: variants of these devices may include additional functionality, such as general-purpose mass storage, RFID for physical access, or fingerprint sensors; see also "Biometrics Devices," next.
12.2.4. Biometrics Devices Description: security devices or their associated readers can also embed biometrics sensors, in most cases fingerprint sensors. Examples include biometrics smart card readers and USB tokens. Classify as: not applicable (depends on the actual security device). Pros: replace PIN with fingerprint verification. Cons: fingerprint security is still debated; potential privacy concerns. Product examples: G&D StarSign® BioToken 3.0, Omnikey Cardman fingerprint 7120 smart card reader, Sony Puppy.
One last comment regarding this list: plug-in devices, unlike OTP tokens, are connected to the potentially hostile host machine. Malicious programs, for example, can compromise the PIN or trick the device into performing an operation different from the one intended by the userfor example, signing a modified transaction.[8] Placing both a PIN pad and a small display on a security device or reader can prevent these types of attacks; on the other hand, it makes such devices considerably more expensive. For financial applications where costs may not be a concern, FINREAD-compliant smart card readers[9] offer this maximum level of security. However, their small-size display can raise nontrivial usability issues. For example, how would you use it to review a page-long email that you need to sign? [8] N. Ferguson and B. Schneier, Practical Cryptography (New York: John Wiley & Sons, Inc.,2003).
[9] http://www.finread.com.
|
