Advances of USB Strong Authentication Tokens · Bank = AOL ? “Demonize-T” ... One time password...

Giesecke & Devrient

Advances of USB Strong Authentication Tokens

Michael PoitnerDirector New Business

CTST 2009New Orleans, May 5th, 2009

Advances of USB Strong Authentication TokenMichael Poitner, NB USMay, 5th 2009, Slide 2 of 10 Advances of USB Strong Authentication Token CTST 2009.ppt

Table of Contents

Secure USB Token – A new smart card form factor

Threats, Attacks and Security Measures

Functions and Applications for secure USB Token

New use cases for strong authentication token

Smart card features of secure USB Token

Features of Starsign Mobility Token Classic


Secure USB Token - A new ‘smart card’ form factor

Smart Cards Secure USB-Token


Table of Contents








Man-in-themiddle attacks

DNSSpoofing

Passwordsniffers

Phishing

Pharming

HijackingRerouting

ID Theft costs user $500 and 30 hours per

incident (US FTC)

$5.000.000.000 in remote payment fraud

Liability can be shifted to issuing

banks… how will they pass-on the losses?

Phishing successful 5-10% of the time

Crack once, use everywhere Yahoo = Lotus ? Bank = AOL ?

“Demonize-T”Trojan horse

forwards password keystrokes to

hacker websites

70% of users would “trade their

password for chocolate”

Increased numbers of active

phishing sites 27000 in June 07

Threats while using the Internet


Typical Types of Attacks against Smart Cards and USB Token

Physical manipulationUltra-High/Low

TemperatureRadiation (Light, Radio,

X-Ray, α-/β-/γ-Ray)

Logical attacksPIN retry

SPA/DPA/TimingSide channel

Electrical stimulation and analysis

VoltageSpikes

Frequency

Inspection and Reverse-engineeringProbingGrinding


The highest level of security can be only achieved with the combination of Hardware and Software Security

Proprietary CPU (features), layout scramblingUltra-small semiconductor structures (below 0,18 μm)Fuses, counter measures against power and timing attacksActive metal shields, hidden structures, non-metal connectionsEncrypted memory, ROM, hidden structures, encapsulated EEPROM cells, MPU, MMUScrambled, hidden and encrypted busses, Random wait statesSensors (Voltage, Spikes, Frequency, Light, Temperature,...)True Random Number GeneratorsCrypto-coprocessors (DES, AES, RSA, Elliptic Curves)

Secure software layersIdentification (PIN, Biometrics)System-AuthenticationSecure (encrypted) MessagingLog filesState machine (Security state, Card Life Cycle)Use of True Random Numbers (Key generation, Authentication, ...)Symetric/Asymetric cryptography (DES, AES, RSA, Hash, ...)Firewalls, Sandboxes (Java Card)Security evaluation, certified development/quality process

Hardware Security Software Security


Table of Contents








Functions and Applications for secure USB Token go beyond classic smart card applications.

Application Smart CardSecure USB Token

User authentication and network access Secure log-on Secure VPN access Email signing/encryption Memory encryption Single sign-on Contents & rights management‏ Biometric credential matchOptical personalisation (Picture, Name)Physical AccessOne time password calculation and displayNo driver installation ( )No administrator installationSecure Data Storage (Encryption on host)Secure Data Storage (Encryption on device)Secure Application Execution Platform (Servlets, Browser, OS, …)Auto Start


Table of Contents








Use Cases of Strong Authentication Token

Classic smart card use cases (Logon,…)Secure portable identity

Use your credentials on any computerNo installation and admin rights neededApp: Remote desktop access

Secure Data StorageStore data in read-only, encrypted and public partitionsApp: Company USB-Drive to prevent data leakage

Secure Application Execution PlatformHardened browser runs from the token with a fixed URLApp: Secure eBanking


Table of Contents








Typical ‘smart card’ features of a secure USB Token

Java Card 2.2.1, Global Platform 2.1.1

EEPROM: 72 - 144kByte

Asymmetric cryptography: RSA up to 2048 bits, Elliptic Curve (e.g. Suite B), DSA, …

Symmetric cryptography: DES, 3DES, AES up to 256 bits

Hash algorithms (SHA1, SHA2, MD5, RIPE MD-160, …)‏

Supported Interfaces: PKCS#5, PKCS#11, PKCS#12, PKCS#15, CSP for Microsoft® CryptoAPI, PC/SC 1.0, G&D GSI host library APDU interface, G&D GSI PC/SC driver, X.509 V3

Hardware certification: Common Criteria EAL 5+

Software certification: FIPS 140-2 level 3, Common Criteria EAL4+


Table of Contents








StarSign® Mobility Token Classic

Zero Host Footprint No Installation, No Admin Rights, Auto StartSecure Post Issuance Firmware UpdatePlatform for On-Token-Execution of 3rd Party ApplicationsTransparent On-Token EncryptionFlash storageSmart Card via Mini UICC plug-in for volume personalization3 partitions for read-only (CD-ROM like), private (encrypted) as well as public

No-Install/No-Admin USB-Token architectureConfigurable Flash Partitions (Read-only, encrypted, unencrypted)Flash encryption on the token


Q&A – Contact Details

Michael [email protected]: +1-650-312-1241Mobile: +1-571-236-6942


Thank you very much for your attention

Advances of USB Strong Authentication Tokens · Bank = AOL ? “Demonize-T” ... One time password...

Documents

Transcript of Advances of USB Strong Authentication Tokens · Bank = AOL ? “Demonize-T” ... One time password...