Subscribe by Email


Wednesday, November 27, 2013

How are Smart cards, USB tokens, and software tokens used for security?

In this article we discuss about how smart cards, USB tokens and other software tokens are used for implementing security.

Smart card: This is a type of ICC (integrated circuit card) incorporated in to a pocket-sized card along with other embedded circuits. They are made up of plastic (usually polyvinyl chloride). These are used for the purpose of authentication, identification, and application processing and data storage.  These cards serve as a strong means for authentication within large organizations for SSO i.e., single sign-on. These are also used as ATM cards, SIM in mobile phones, fuel cards, pre-payment cards, access control cards and high-security identification cards, phone payment cards, public transport payment cards and so on. Sometimes they are also used as electronic wallets i.e., funds can be loaded in to it for paying when needed to merchants, retailers, vending machines, parking meters and so on. It does not require establishing a connection to the bank. The card can also be used by someone who is not its owner. This exchange of money is protected by the cryptographic protocols. Some cards such as the German Geldkarte are used for age verification. Some commonly known cards are:
- Visa
- MasterCard
- American express
- Discover

Security token or USB token: This is a physical device used for the user authorization by the security system so that there is no difficulty in authentication process. These devices verify the identity of the user electronically. These normally replace the passwords (or can be used along with the password) and use a key for gaining access. These tokens might be used for storing for cryptographic keys which include biometric data, digital signature etc. some come with tamper resistant packaging, while others have a small keypad for entering the PIN. Some tokens have a USB connector and so called a USB token. Some come with a wireless Bluetooth interface. With such interfaces the generated key number sequence can be transferred to the system. A token can stored 4 types of passwords:
- Static password token
- Synchronous dynamic password token
- Asynchronous password token
- Challenge response token

Tokens consist of chips whose functions can be very simple or at the same time to very complex. They use multiple authentication methods in the latter case. Simple tokens do not need to be connected to the system.

Software tokens: This is a two-factor authentication security device used for the authorization of the computer services. These tokens are stored in the electronic devices such as mobile phone, PDAs, PC, laptop etc. this is totally opposite of the hardware tokens that are stored on some hardware device dedicated to it. Both these types of tokens are quite vulnerable to man-in-the-middle attacks or other phishing attacks. However these tokens do have some benefits over the smart cards and USB tokens. Firstly you don’t require carrying them nor do they run on batteries that might run out. They are less expensive when compared to the hardware tokens. These tokens have two primary architectures namely the public-key cryptography and the shared secret. In the second architecture type the configuration file is given to each end-user by the administrator containing the user ID, PIN and the secret key. This type is open to many kinds of vulnerabilities. Attackers can compromise the stolen file. On top of this, these configuration files are subject to offline attacks and these are also difficult to be distributed. The latest software tokens use the public-key cryptography architecture to overcome most of the drawbacks of the shared secret architecture. 


No comments:

Facebook activity