AUTHENTICATION TOKENS

Authentication tokens are used to prove one's identity electronically .

sometimes a hardware token, security token, USB token, cryptographic token, software token, virtual token etc.

• The token use a password to prove that the customer is who they claim to be.

• The token acts like an electronic key to access something.

• Some may store cryptographic keys,1. digital signature2. biometric data3. fingerprint minutiaer.

Time-synchronized one-time passwords

Time-synchronized one-time passwords change constantly at a set time interval, e.g. once per minute. To do this some sort of synchronization must exist between the client's token and the authentication server.

Mathematical-algorithm-based one-time passwords

Another type of one-time password uses a complex mathematical algorithm, such as a hash chain, to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known.

Connected tokens

•Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. •Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information

• To use a connected token, the appropriate input device must be installed. The most common types of physical tokens are smart cards and USB tokens, which require a smart card reader and a USB port

• The number must be copied into the PASSCODE field by hand.

• Disconnected tokens have neither a physical nor logical connection to the client computer.

• They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a keyboard or keypad.

DISCONNECTED TOKENS

SMART CARDSFUTURE LIFE………

MAGNETIC STRIPE CARDSStandard technology for bank cards, driver’s licenses, library cards, and so on……

OPTICAL CARDSUses a laser to read and write the card Photo IDFingerprint

MEMORY CARDS• Can store:

Financial InfoPersonal InfoSpecialized Info

• Cannot process Info

ITECH 7215 Information Security

MICROPROCESSOR CARDS/SMART CARD

• Store information• Carry out local processing• Perform Complex Calculations

WHAT IS A SMART CARD?

A Smart card is a plastic card about the size of a credit card, with an embedded microchip that can be loaded with data.

The standard definition of a a smart card, or integrated circuit card (ICC), is any pocket sized card with embedded integrated circuits.

CONTACT SMART CARDS

Requires insertion into a smart card reader with a direct connection

This physical contact allows for transmission of commands, data, and card status to take place

CARD ELEMENTSMagnetic Stripe

Chip

Embossing (Card Number / Name / Validity,etc.)

Logo

Hologram

ELECTRICAL SIGNALS DESCRIPTION

: Clocking or timing signal (optional use by the

card).

GND : Ground (reference voltage).

VPP : Programming voltage input (deprecated /

optional use by the card).

I/O : Input or Output for serial data to the integrated

circuit inside the card.

VCC : Power supply input

: reset signal supplied from the interface deviceRST

CLK

WORKING STRUCTURE

• Central Processing Unit: Heart of the Chip• All the processing of data preforms in here.

CPU

WORKING STRUCTURE• security logic: detecting abnormal

conditionse.g. low voltage

CPU

security

logic

WORKING STRUCTURE• serial i/o interface: contact to the

outside world

CPU

security

logicserial

i/ointerfac

e

WORKING STRUCTURE• test logic: self-test procedures

CPU

security logic

serial i/ointerface

test logic

WORKING STRUCTUREROM:•self-test procedures•typically 16 bytes•future 32/64 bytes

CPU

security logic

serial i/ointerface

test logicROM

WORKING STRUCTURE

RAM:•‘Buffer memory’ of the processor•typically 512 bytes•future 1 byte

CPU

security

logicserial i/ointerface

test logic

ROM

RAM

WORKING STRUCTUREEEPROM:•cryptographic keys•PIN code•biometric template•typically 8 bytes•future 32 bytes

CPU

security logic

serial i/ointerface

test logicROMRAM

EEPROM

WORKING STRUCTURE

Databus:•connection between elements of the chip•8 or 16 bits wide

CPU

security logic

serial i/ointerface

test logic

ROM

RAMEEPRO

M

Databus

SMART CARD READERS

Computer based readersConnect through USB or COM (Serial) ports

Dedicated terminalsUsually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.

WHY SMART CARDS?

Security: Data and codes on the card are encrypted by the chip maker.

Trust: Minimal human interaction.

Portability.

Less Paper work: Eco-Friendly

WHY USE SMART CARDS?

Can store currently up to 7000 times more data than a magnetic stripe card.

Information that is stored on the card can be updated. Magnetic stripe cards are vulnerable to many types of

frauds A single card can be used for multiple applications (cash,

identification, building access, etc.) Smart cards provide a 3-fold approach to authentic

identification:• Pin (password)• Cryptographic verification• Biometrics

PASSWORD VERIFICATION

Terminal asks the user to provide a password. Password is sent to Card for verification. permit user authentication.

CRYPTOGRAPHIC VERIFICATION

Terminal verify card (INTERNAL AUTH) Terminal sends a random number to card to be

hashed or encrypted using a key. Card provides the hash or cyphertext.

Terminal can know that the card is authentic. Card needs to verify (EXTERNAL AUTH) Primarily for the “Entity Authentication”

BIOMETRIC TECHNIQUES

Finger print identification. Features of finger prints can be kept on the card (even verified

on the card) Photograph/IRIS pattern etc.

Such information is to be verified by a person. The information can be stored in the card securely

SMART CARD APPLICATIONS

Government programs Banking & Finance Mobile Communication Pay Phone Cards Transportation Electronic Tolls Passports Electronic Cash Retailer Loyalty Programs Information security

STUDENT ID CARD

A student ID card, containing a variety of applications such as electronic purse (for vending machines, laundry machines, library card, and meal card).

ADVANTAGES

Proven to be more reliable than the OTHER cards. Can store up to thousands of times of the information than the magnetic

stripe card. Reduces tampering through high security mechanisms. Can be disposable or reusable. Performs multiple functions. Has wide range of applications (e.g., banking, transportation, healthcare...) Compatible with portable electronics (e.g., PCs, telephones...)

DISADVANTAGES.

In the example of internet banking, if the PC is infected with any kind of malware, the security model is broken. Malware can override the communication (both input via keyboard and output via application screen) between the user and the internet banking application (eg. browser). This would result in modifying transactions by the malware and unnoticed by the user. There is malware in the wild with this capability (eg. Trojan. Silentbanker).

THANK YOU