WebApp Sec mailing list archives
RE: Smart card proposal
From: maburns () safenet-inc com
Date: Tue, 25 Jan 2005 12:58:11 -0800
Richard The iKey USB token uses a windows driver (only) that is downloaded to the client machine. The user would type the banks start up url, system would prompt them to insert their iKey in the USB port and enter pin #, if it's the first time the iKey driver would automatically be downloaded. This is the preferred method so if there are updates to the driver it can be downloaded the next time a user logs in. The session can terminate when the iKey is removed from the USB port or it can terminate after a set amount of time has lapsed. The termination of a session is controlled by the application. Rainbow has a SDK Kit that ships with iKeys for app development. As said here before it is a nice package that offers a compact hardware solution for authentication and digital identity management. While offering similar functionality to a smartcard, iKey packs two-factor authentication, encryption key management, and digital signing functionality into a tiny, secure package that includes an integrated USB port to eliminate the need for a separate reader device. The iKey FIPS 140-1, Level 2 validated hardware, onboard key generation, key storage, encryption, and digital signing capabilities add high-assurance security to user login, email encryption, disk encryption, VPN authentication, and other secure client applications Mary Ann -----Original Message----- From: Richard M. Smith [mailto:rms () computerbytesman com] Sent: Monday, January 24, 2005 4:58 PM To: webappsec () securityfocus com Subject: RE: Smart card proposal Hi Mary Ann, What kind of Windows driver does a USB key token need? At least with USB flash disks, most Windows systems built in the last 5 years have a driver for USB flash disks. Also would a Web site talk to the device? Perhaps with an ActiveX control? The big problem with USB devices is the dang USB sockets on many computers is on their backsides and access is difficult. I just tested USB flash disk usability during a recent vacation in Argentina. I tried out about 20 different computers in Internet cafes, it was a pain to get to all the USB sockets. There is some hope. Newer systems are coming with front-side USB sockets which should become more common since USB flash disk are replacing floppy disks. USB devices are pretty easy to forget also. Can a USB key token only be left in a machine for only the 5 to 10 seconds that it takes to do an authorization and not for the entire banking session? If there are no driver issues with a USB key token, maybe it's the best way to go. Richard -----Original Message----- From: maburns () safenet-inc com [mailto:maburns () safenet-inc com] Sent: Monday, January 24, 2005 7:27 PM To: hugo.fortier () gmail com; rms () computerbytesman com Cc: webappsec () securityfocus com Subject: RE: Smart card proposal Hugo The USB Key token would eliminate the need for the smartcard reader and the pin can be typed on the keyboard since It does not really matter if the keystrokes are copied since with two-factor authentication you need the combination of the physical device and the pin# ( two factor is - something you have (USB key) with something you know (pin#). The RSA random password generator won't work for the reason below. The RSA secure ID are more expense than an USB token like Rainbow iKey and need a battery replacement (USB token does not). Plus RSA is a random password generator and is not really two factor authentication and the deployment on a RSA Radius server is such that all remote users need to be on the system since the sever cannot allow some to have the RSA token and others in the directory to have user name and passwords. USB tokens can be issued to some users (who want high security) and the others can remain on user names and password. Thus providing the bank with the answer they need. Use the USB key for top security and be protected or continue to use user name and password but at your own risk. If the user loses their key they call the help desk and get a temp user name and password and the bank sends out another key same as if they lost their ATM card, they get a replacement. Or they can elect to switch over the username and password if they don't like the key. Mary Ann -----Original Message----- From: Hugo Fortier [mailto:hugo.fortier () gmail com] Sent: Monday, January 24, 2005 10:20 AM To: Richard M. Smith Cc: Webappsec List Subject: Re: Smart card proposal USB Flash drive and Credit Card sized CD are't to be compaired with SmardCard. They have none of the propriety that a smartcard have... While it's is somewhat better than storing the key directly on the computer, it should't be considered a lot more secure. And it be a lot cheaper tu just use a crypto key stored on the PC. SmartCard readers are getting cheaper and cheaper, only issue is that inexpensive one does not have PIN Pad included in the reader. It's a bad idea to enter your pin on your computer keyboard. I agree with you that PIN number generator are interesting, but for a online bank they does't provide the advantage a smart card would give them (Aka Digital Signature). Also those RSA Token have short lifetime, due to the fact that they have built-in battery and are easy to break. I doubt RSA Token are cost effective on big deployment like Online banking... We have to remember that the cost of the solution have to be lower than the lost caused by fraud. Hugo On Mon, 24 Jan 2005 07:27:54 -0500, Richard M. Smith <rms () computerbytesman com> wrote:
Since almost no PCs that I am aware of have SmardCard readers, I don't see how this scheme works. Could a USB flash drive or a credit card-sized CD ROM be used instead? (See http://www.mediaheaven.co.uk/cd-business-cards.htm) These devices typically don't require new software. I still like a PIN-number generator device for a key ring as the best method to improve security beyond passwords and PINS. One of these devices generates random PIN numbers that are only known by the bank and the person who is holding the device. They are popular her in the States in remote access systems to corporate networks. (See http://www.rsasecurity.com/node.asp?id=1173). Richard -----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] Sent: Wednesday, January 19, 2005 5:47 AM To: Webappsec List Subject: Smart card proposal Hi folks, As part of the discussion recently about phishing, I was thinking about how a hardware token (and a smart card in particular) could be used to secure web transactions. It also struck me that more and more banks are issuing credit or debit cards with smart-card capabilities. This led to the thought that banks could use the smart-card capabilities (via a smart-card reader) to store a private key and SSL client certificate, which would be used to authenticate their clients when they wish to perform internet banking. Positive consequences: The bank is performing the same effective authentication as they do at their ATM's. Something you have (the card) and something you know (the PIN). This may or may not be the same PIN as would be used in an ATM. This would be a policy decision, made by the issuing bank. Policy decisions can be enforced on the smart card, because the smart card can run applications. So policies such as PIN complexity, lockout, etc can all be specified by the bank, and enforced. This is platform independent, browser independent, CPU independent, etc. Users already have an idea of how to protect their credit cards. They know what the implications are if they get lost or stolen. They tend to keep them in a safe place. Even if they do get compromised, the card is still protected by a PIN, and is effectively unusable. ATM's mostly already have infrastructure to read and communicate with smart cards. Users can use ATM's as self-service terminals to set up their internet banking. e.g. the user enters their PIN at the ATM, selects Internet Banking, Register. The ATM instructs the smart card to generate a private key, takes a copy of the public key, generates a CSR, requests the Bank's CA to sign the cert, and installs the cert into the smart card. It then asks the user to choose a PIN for the certificate, so that it cannot be accessed without it. At the same time, it links the certificate to the same accounts that the user can access via the ATM, so that Internet banking is effectively seamless. If the user forgets the certificate PIN, and tries to guess it more than ${policy} times, the smart card locks it out. Then, the user can go to an ATM, enter his ATM PIN, request a certificate PIN reset, the ATM then supplies a (card specific) PIN Unlock Key, which allows the user to enter a new PIN for the cert. The certificate lifetime would be the same as the validity period of the credit card. When the bank issues a new credit card, the user should go back to an ATM, and reregister for Internet banking. Alternatively, if the user is already registered, the bank can pregenerate a key and certificate in the card, register it with Internet Banking, and provide the user with the certificate PIN in the same way as they do with the ATM PIN. Depending on the bank's policy, the user may be able to change the PIN at their own computer. This would however mean that the bank would not be in a position to know what the current certificate PIN actually is. An alternative is to require the PUK before allowing PIN changes. The PUK could only be provided by the ATM . . . allowing the bank to obtain a copy of the certificate PIN . . . Negative Implications: If the credit card is stolen, there is a risk of access via the Internet as well. This may or may not already be an issue, if users can self-register using their credit card PIN. (possible in some countries) Using the smart card at a merchant might allow the merchant to issue additional internet banking transactions while the card is inserted in the slot, and the PIN has been entered into their card processing device. I think the close coincidence of the fraudulent transactions with a legitimate transaction would be suspicious. Note that it would (should) not be possible to delay the transaction until after the card is taken out. (Question: If I connect using a client cert, establish a SSL shared session key, then remove the smart card, can I continue to use that session key?) Also, most merchants do not have access to reprogram their card terminals, this is generally done by the supplier. Session Riding: One thing that I have ignored up until now is the issue of session riding, where an attacker makes use of the fact that the SSL connection is transparently created. One thing mitigating against that is the requirement for the user to have entered their PIN to access the certificate on the card. It may be possible to set a timeout on the card, so that the PIN must be
reentered
to continue transacting. Thoughts? Comments? Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Re: Smart card proposal, (continued)
- Re: Smart card proposal Hugo Fortier (Jan 24)
- RE: Smart card proposal Richard M. Smith (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 27)
- RE: Smart card proposal McAllister, Andrew (Jan 27)
- RE: Smart card proposal Ofer Shezaf (Jan 27)
- RE: Smart card proposal Ofer Shezaf (Jan 27)
- RE: Smart card proposal Richard M. Smith (Jan 27)
- Re: Smart card proposal DE Gustafson (Jan 27)
- Re: Smart card proposal Koh Gim Leng (Jan 28)
- RE: Smart card proposal Lyal Collins (Jan 28)
- RE: Smart card proposal Richard M. Smith (Jan 27)
- RE: Smart card proposal maburns (Jan 27)
- RE: Smart card proposal maburns (Jan 27)
- Re: Smart card proposal Miguel Ruiz Velasco Sobrino (Feb 02)
- Security Webcast Series JoeStagner (Feb 02)
- RE: Smart card proposal Glenn_Everhart (Feb 02)
- RE: Smart card proposal Lyal Collins (Feb 03)
- Re: Smart card proposal Rogan Dawes (Feb 03)
- Re: Smart card proposal Kevin Kadow (Feb 16)