How are Smart cards, USB tokens, and software tokens used for security?

In this article we discuss about how smart cards, USB tokens and other software tokens are used for implementing security.

Smart card: This is a type of ICC (integrated circuit card) incorporated in to a pocket-sized card along with other embedded circuits. They are made up of plastic (usually polyvinyl chloride). These are used for the purpose of authentication, identification, and application processing and data storage.  These cards serve as a strong means for authentication within large organizations for SSO i.e., single sign-on. These are also used as ATM cards, SIM in mobile phones, fuel cards, pre-payment cards, access control cards and high-security identification cards, phone payment cards, public transport payment cards and so on. Sometimes they are also used as electronic wallets i.e., funds can be loaded in to it for paying when needed to merchants, retailers, vending machines, parking meters and so on. It does not require establishing a connection to the bank. The card can also be used by someone who is not its owner. This exchange of money is protected by the cryptographic protocols. Some cards such as the German Geldkarte are used for age verification. Some commonly known cards are:
- Visa
- MasterCard
- American express
- Discover

Security token or USB token: This is a physical device used for the user authorization by the security system so that there is no difficulty in authentication process. These devices verify the identity of the user electronically. These normally replace the passwords (or can be used along with the password) and use a key for gaining access. These tokens might be used for storing for cryptographic keys which include biometric data, digital signature etc. some come with tamper resistant packaging, while others have a small keypad for entering the PIN. Some tokens have a USB connector and so called a USB token. Some come with a wireless Bluetooth interface. With such interfaces the generated key number sequence can be transferred to the system. A token can stored 4 types of passwords:
- Static password token
- Synchronous dynamic password token
- Asynchronous password token
- Challenge response token

Tokens consist of chips whose functions can be very simple or at the same time to very complex. They use multiple authentication methods in the latter case. Simple tokens do not need to be connected to the system.

Software tokens: This is a two-factor authentication security device used for the authorization of the computer services. These tokens are stored in the electronic devices such as mobile phone, PDAs, PC, laptop etc. this is totally opposite of the hardware tokens that are stored on some hardware device dedicated to it. Both these types of tokens are quite vulnerable to man-in-the-middle attacks or other phishing attacks. However these tokens do have some benefits over the smart cards and USB tokens. Firstly you don’t require carrying them nor do they run on batteries that might run out. They are less expensive when compared to the hardware tokens. These tokens have two primary architectures namely the public-key cryptography and the shared secret. In the second architecture type the configuration file is given to each end-user by the administrator containing the user ID, PIN and the secret key. This type is open to many kinds of vulnerabilities. Attackers can compromise the stolen file. On top of this, these configuration files are subject to offline attacks and these are also difficult to be distributed. The latest software tokens use the public-key cryptography architecture to overcome most of the drawbacks of the shared secret architecture. 

What are secret-key and public-key signatures?

- Asymmetric cryptography is often referred to as the public-key cryptography. 

- It is a cryptographic algorithm which makes use of two individual keys namely the secret key and the public key. 

- The secret is kept private and the public key is open. 

- Even though these two keys are different, there is some mathematical link between the two. 

- The key which is used for the encryption of the plain text and verification of the digital signature is the public key. 

- So, the private key is one that is used for the decryption of the cipher text in to plain text or for creation of a digital signature. 

- Both these keys are contrast of each other unlike in the symmetric cryptography where the same key serves both the purposes. 

- The public keys are created based up on some mathematical problems for which presently there is no efficient solution such as the following:

Ø  Elliptic curve relationships

Ø  Discrete logarithms

Ø  Integer factorization

- Generating the public and the private key pair is computationally easy for the users. 

- The strength of the public keys lies in the fact that determining the private key from its public key is computationally in feasible or almost impossible. 

- Thus, without fearing any compromise with the security, the public key can be published whereas the private key is kept hidden from everyone so as not to reveal it to anyone who does not has authorization for performing the digital signatures or reading the messages. 

- Unlike for the symmetric key algorithms, a secure initial exchange of the secret keys is not required for the public key algorithms. 

- In the process of message authentication, a private key is used for processing a message for producing the digital signature. 

- After doing so, the signature can be verified by anyone by processing the value of the signature using the corresponding public key of the signer. 

- The result is then compared with the message. 

- The unmodified nature of the message is confirmed a success signal. 

- Also, it is presumed that the private key of the signer has been kept hidden from the others. 

- However, in practical applications, the message’s digest or hash is encrypted and used as the signature. 

- The fundamental security components of the cryptosystems, protocols and applications are the public key algorithms.

These systems underpin the following internet standards:

Ø  PGP

Ø  GPG

Ø  TLS or transport layer security

- Secrecy as well as Key distribution is provided by some of the public key algorithms such as the Diffie-Hellman key exchange algorithm while some algorithms like Digital signature algorithm provide the digital signature and some others offer both the things.

- An example of such algorithm is RSA. 

- All these algorithms have been widely accepted. 

- A pair of cryptographic keys (i.e., a public key for encryption and a private key for decryption) is provided to each of the users. 

- Similarly, for digital signatures the pair of keys consists of a private key for signing and a public key for verification. 

- The concept of the private key has been introduced so as to ensure the confidentiality. 

- The digital signatures can be verified by anyone possessing the corresponding public key. 

- With such a confirmation it is confirmed the private key is possessed by the sender. 

- This is also a way to confirm that no tampering has been done to the message. 

- If the message has been tampered, it will introduce changes in the encoded message digest. 

- Mail box having a mail slot and a personal wax seal can be taken as an analogy to public – key encryption and digital signatures respectively. 

What is the difference between authentication and authorization?

In this article, we have taken two very important topics of the cyber world namely authentication and authorization. We shall also discuss the difference between the two terms which have a direct link to our security on the World Wide Web and other networks. 

Concept of Authentication

"Authentication involves the act of the confirmation of the truth regarding all the attributes of some entity or datum under the question". 

The authentication process is also linked up with the confirmation of the identity regarding the following aspects:

1. Confirmation of a person’s or software system’s or program’s identity.
2. Tracing of the origins of some artifacts.
3. Ensuring that what the labelling and packaging claims to be is what is that is actually in the product. 

There are three types of authentication methods which we have discussed below:

1. The first type: It involves accepting of identity proof given by some credible person who can provide evidence of the identity or the originator and the object under assessment in question.
2. The second type: It involves a comparison between the attributes of the object itself and what is known about the objects of same origin. But authentication of this type is quite vulnerable to forgery and calls for expert knowledge
3. The third type: It involves authentication on the basis of the external affirmations like documentation. 

Three factors need to be verified in authentication are:

1. Owner ship factors
2. Knowledge factors
3. Inherence factors

Concept of Authorization

- The process of authorization involves the act of the specification of the access rights to the resources.

- These are the resources that are involved with the computer security or information security in general.

- In particular these resources are used to access control to the security system and other desired information.

- To say it simply, authorization is the process of providing a definition for the access policy. 

- While the system is in operation, it makes use of the access control rules for making decisions regarding the rejection or approval of the access requests from the authenticated users or consumers. 

- Resources can be anything like:

1. Individual files
2. Items data
3. Computer devices
4. Computer programs
5. Functionality of the computer applications and so on.

- Consumers may be either computer users or computer programs or other devices on the system. 

- The access control process that is performed during the authorization involves two main phases as mentioned below:

1. Phase 1: This phase is known as the policy definition phase and involves authorization of the access.
2. Phase 2: This phase is known as the policy enforcement phase and involves acceptation or rejection of the access requests.

Differences between Authentication and Authorization

1. Verification of your identity: It means verifying who you are is called authentication whereas the verification of what you are authorized to do is called authorization. This is the simplest difference between the two similar sounding processes. Both of these processes are carried whenever some connection attempt is made and whether the attempt has to be allowed or rejected is decided based up on these two factors only.
2. The basic goal of the authentication process is to verify whether you are who you claim to be or not? On the other hand the goal of the authorization is to set the access scope of the user who has been authenticated in the previous process. 

What is the concept of penetration testing tools?

We all are quite familiar with what is a penetration test or a pen test. Every kind of software testing technique makes use of certain tools, so does penetration testing. 

This article is focused up on the tools that are meant for carrying out the penetration testing. Before moving on to the discussion about the tools, let us buck up with some concepts of penetration testing. 

About Penetration Testing

- Penetration testing gives a measure of the security of the software system or application or a computer network. 

- This is done by the simulation of the attacks as from the outside malicious attackers. 

- The attacker can also be an insider. 

- The attackers are classified in to outsiders and insiders on the basis of the approach of their access to the software system or application. 

- The attackers not having any authorized access to the system are called as outsiders and those who have any extent of authorized access to the system are called insiders. 

- The first step in the penetration test is the identification of the potential vulnerabilities of the system by carrying out an active analysis.

- These vulnerabilities are a consequence of the improper configuration of the software system or they may occur also because of flaws in the hardware and software components of the system. 

- Some of the technical counter measures may also revoke these vulnerabilities.

- The penetration is performed in the way that a potential attacker might follow to attack the system. 

- After the identification of these vulnerabilities, these are brought to the notice of the owner of the system. 

- These potential vulnerabilities are then coupled with a proper assessment of their potential impacts on the system as well as organization using several effective penetration tests. 

- Some technical counter measures are then designed to reduce their impact on the system. 

There are several reasons that make the penetration testing way more valuable. Now coming to the discussion regarding the penetration testing tools, since there are many ways in which the penetration testing can be carried out, there are several types of tools that can be employed for the penetration testing.

Approach used in Penetration testing

- Depending up on the amount of knowledge the tester has about the software system or application, either the black box approach or the white box approach is followed. 

- If the tester has less knowledge of the system, he/ she is likely to follow the black box approach.

- On the other hand if he/ she has ample amount of knowledge then the white box approach is used. 

- Accordingly the tools are chosen i.e., black box testing tools for black box approach and similarly white box testing tools for the white box approach. 

- It is required that the location and the extent of the system to be tested is determined properly before starting the testing. - For the white box approach the tester needs to know about the critical aspects like the IP address of the system and source code. 

- If the amount of knowledge is intermediate between the amounts required for the black box and white box approaches, then the grey box testing approach is allowed. 

- This involves the intermixing of the white box and black box testing techniques. 

- Both the white box testing tools as well as black box testing tools can be employed here. 

- All these three approaches have their own merits and demerits which are often debated.

- These tools are deployed for the creation of the hostile environment for the testing of environment.

Types of Penetration Testing Tools

1. Port Scanners

2. Vulnerability Scanners

3. Application Scanners

4. Web Application Assessment Proxy

How does penetration testing tool emphasize on network security?

The term “penetration testing” is not unheard these days and perhaps many of us are familiar with this type of testing. In this piece of writing we have discussed how the penetration testing tools emphasize up on the network security. 

About Penetration Testing

- Penetration testing is yet another testing methodology that has been adopted for testing the security of a computer network or system against the malicious attacks. 

- It provides a way to evaluate the security level of the computer network by bombarding the network with false simulated attacks as malicious attacks from the outside as well as inside attackers. 

- The aliens, foreigners or outside attackers do not hold any authorized access to the computer system or network but the inside attackers do have that access, but it is limited to a certain level.

- The whole process of the penetration testing is dependent on an active analysis. 

- This active analysis carries out an assessment of all the potential vulnerabilities of the computer network or system that are merely a consequence of its poor security level as well as configuration level. 

- Apart from this, the known and unknown flaws form both the hardware as well as software system contribute to these vulnerabilities rather than only operational weaknesses. 

- Therefore they are to be blamed equally.

- This active analysis is successful only if it is carried out from the view point of a malicious attacker and is concerned about the active exploitation of the recognized vulnerabilities.

About Network Security

- The network security depends up on the effectiveness of the testing. 

- And the testing in turn is affected by the effectiveness of the tools that are employed in the testing.

- The tools indeed affect the network security, since if the tools are reliable and efficient in finding vulnerabilities, obviously there will be more improvement in the security mechanisms.

Reasons why Penetration Testing holds good for Network Security

There are several other reasons why the penetration testing tools holds good for the network security:

- They are effective for the determination of the feasibility of the similar vectors of attack.

-  Help in the identification of the vulnerabilities which possess a very high risk when the exploitation of a combination of low level risks is done following a particular sequence.

-  Prove quite effective in the determination of the vulnerabilities that cannot be detected with the help of application vulnerability scanning software or automated testing processes.

-  Assist in the assessment of the measure of the operational and business impacts of the attacks on the computer network or system.

- Successfully test the effectiveness of the network defenders in detecting and responding to the attacks.

- Provide the evidence in support of the investments that need to be made in the security field of the computer system or network.

What is meant by penetration testing?

The term “penetration testing” is not so rare and perhaps many of us familiar with this type of testing. In this piece of writing we have discussed the penetration testing in more detail. 

About Penetration Testing

- Penetration testing is another testing methodology adopted for testing the security of a computer network or system against the malicious attacks. 

- Penetration testing evaluates the security level of the computer network by bombarding the network with false simulated attacks as malicious attacks from outside as well as inside attackers.

- The outside attackers do not hold any authorized access to the computer system or network but the inside attackers do have than access but only to a certain level. 

- The whole process of the penetration is based on an active analysis.

- This active analysis assesses all the potential vulnerabilities of the computer network or system that are merely a result of its poor security level as well as configuration level.

- Apart from this, the known and unknown flaws form both the hardware as well as software system contribute to these vulnerabilities rather than only operational weaknesses. 

- This active analysis is carried out from the view point of a malicious attacker and is all about the active exploitation of the recognized vulnerabilities. 

Steps in Penetration Testing

- First step in the penetration testing is always the identification of the vulnerabilities. 

- The identified issues and vulnerabilities are then brought to the notice of the whole development team.

- A number of penetration tests are then carried out on that particular system along with the coupling of the information with the active assessment of the risks associated with the computer system or network. 

- A whole lot of effective procedures are designed to reduce the affect of these vulnerabilities. 

Advantages of Penetration Testing

There are several other reasons why the penetration testing holds good:

1. It is effective for the determination of the feasibility of the similar vectors of attack.
2. Helps in the identification of the vulnerabilities which possess a very high risk when the exploitation of a combination of low level risks is done following a particular sequence.
3. Proves quite effective in the determination of the vulnerabilities that cannot be detected with the help of application vulnerability scanning software or automated testing processes.
4. Assists in the assessment of the measure of the operational and business impacts of the attacks on the computer network or system.
5. Successfully tests the effectiveness of the network defenders in detecting and responding to the attacks.
6. Provides the evidences in support of the investments that need to be made in the security field of the computer system or network.

Penetration testing has been recognized as an important component of the security audits. The penetration testing can be carried either way round i.e., either through the black box testing route or through the white box testing route. 

The path to be taken is decided by the amount of knowledge that the tester has about the system or network under testing. If the tester has got a brief knowledge then the black box testing route is followed else the white box testing techniques are preferred. 

Another thing to be determined before starting the testing is the location of the system that has to be tested and also its extent. 

Penetration testing if carried through white box testing

For following the white box approach to penetration testing, the testers needs:

- to have the full knowledge of the system infrastructure,

- to have the full knowledge of the source code, 

- to have the full knowledge of the IP address and

- to have the full knowledge of the network diagrams etc. 

In some cases the grey box approach to penetration testing can also be followed based on how much information is available. Black box approach is useful for simulating an outsider attack whereas the white box approach can simulate and insider attack.  

What are different characteristics of security testing?

Security testing as its name suggests can be defined as a process to determine that whether a software or information system or application is capable of protecting data and keeping it secure.
It also determines that the software or the information system keeps the functionality of the system intact and as intended.

Security testing needs to cover up six important concepts. They have been discussed below in detail:
1. Confidentiality
- It can be defined as a measure of security which seeks to provide protection against the disclosure information or data to the third parties or any unauthorized parties other than the authorized parties or individuals.
- This is not the only way of ensuring security of the information.

2. Integrity
- This is a security measure intended to inform the information or data receiver about whether the information or data which is being provided is correct and fully legal.
- Most often, same underlying techniques are used for both confidentially and integrity aspects of security.
- There is a basic difference between integrity and confidentiality and that is: for integral security, additional information is also provided.
- This additional information usually forms the basis of not only encoding of the whole communication data but also forms the basis for an algorithmic check.

3. Authentication
- This security measure involves the confirmation of the identity of a particular person.
- It ensures that a packed product contains exactly what its packaging and labeling claims to be.
- The process of authentication is also used to trace the origins of a software system, application or an artifact.
- The process of authentication plays a big role in determining that a computer software system or application is a trusted one or not.

4. Authorization
- The process of authorization is an important security measure.
- It verifies the identity of the receiver of that particular service.
- It can be defined as a process for determining that a person who has requested for some service is allowed and is eligible to receive that service or to carry out some operation.
- The best example of authorization security measure is given by access control.

5. Availability
- Availability security measure assures that that the communication services and information will be always ready for use whenever they are needed.
- This security measure ensures that the required information is always available to the authorized people when they are in need of it.

6. Non- Repudiation
- It basically falls under the category of digital security measures.
- Non- repudiation security measure confirms that the data, information and messages are transferred and received by the people or parties claiming to have sent the data, information or messages.
- The security measure like non- repudiation offers a way to guarantee that the person or the party who had sent the message, later cannot deny sending the message and the recipient also cannot deny having received the message if any issue is raised.

Security testing as a term has a number of different meanings and cannot be explained in just one way. Security taxonomy provides a better way to under stand all these concepts.

- Discovery
- Vulnerability scan
- Vulnerability assessment
- Security assessment
- Penetration test
- Security audit
- Security review