2. Authentication Factors
Three types:
Something you Know
Passwords, PIN, security questions
Something you Have
Hardware token, mobile phone, key file
Something you Are
Fingerprints, Iris, Retina, Voice, Facial Structure, Typing
Analysis
Hon1nbo - Smart Cards & MFA 2
3. Which is best?
Depends on the application
Web forum logged account not as valuable as bank
account
Resources available to server and client side
Can we combine multiple factors?
Hon1nbo - Smart Cards & MFA 3
4. Multi-factor Authentication (MFA)
Two or more authentication factors used together
Very secure
Allows loss of one factor without loss of security
Can be any combination of the three factors
What uses MFA?
ATM cards (pin + physical card), Chip and Pin (outside
USA)
Twitter, Google, Facebook, and others allow MFA
(mobile phones and hardware tokens)
Hon1nbo - Smart Cards & MFA 4
5. Implementations
Most common two-factor auth (2FA) is Password/PIN
and a token given to user
User enters both a password and a One Time Password
(OTP) generated by token into system
User enters PIN into token, generating OTP or key
signing operation
User enters password, server “pushes” auth to token for
approval by user (mobile phone push)
Token is attached to system, and user enters password or
PIN (ATMs, hardware keys for software licensing)
Hon1nbo - Smart Cards & MFA 5
6. Other Implementations
Password/token and biometric
Not common due to expense and complexity of
biometrics
Cannot replace biometric token if stolen
Increasing use of 3FA (PIN + token + biometric)
Hon1nbo - Smart Cards & MFA 6
7. Hardware Security Modules
Implement cryptographic processors in a secure
assembly
Use by CAs, banks, SSL/TLS endpoints
Larger, bulky, expensive to design and implement.
Very powerful
Hon1nbo - Smart Cards & MFA 7
8. Smart Cards
Powerful hardware tokens
Onboard cryptographic processor
Secure key storage
Extremely difficult to attack without advanced tools,
knowledge, and ample time
Easy to reprogram if compromised
Cost decreasing in recent years
Partly due to common use in government and payment
industry
Hon1nbo - Smart Cards & MFA 8
9. Smart Cards
Simpler cryptographic token implementation than
HSMs
Some “HSM” devices are really just smart cards with a
permanently attached reader
Key storage often contains multiple keys
A master key has subkeys and their “stubs”
Encryption key
Signing Key
Authentication Key
Each used for different application
Allows for enhanced security through key isolation
Hon1nbo - Smart Cards & MFA 9
10. Smart Cards
Authentication flow
User inserts card
Card presents public key of user, matching the stored
public key on server
Server sends message to card, which is signed with the
authentication private key in addition to the time, when
the user enters a valid PIN onto card
Server verifies message with stored public key
Session is authenticated
Similar process for Non-repudiation and encryption
Hon1nbo - Smart Cards & MFA 10
11. File System Encryption
Smart Cards can be used for local encryption
Can store large AES, RSA, and other key types
Programs such as Truecrypt, Bitlocker, and others
support this
Advantages
Key not stored on target device
Key difficult to extract from static system
Disadvantages
Key usually in memory while system operational for
speed
Hon1nbo - Smart Cards & MFA 11
12. Types of Smart Cards
Most size of standard plastic credit card
Electrical contacts on surface
Others size of fingernail (cellular SIM cards)
May contain USB or similar interface
Various support for encryption and key types
Limiting factor: ensuring cards and systems are
compatible
New systems may not work with previous cards. Can’t
reformat like passwords
Hon1nbo - Smart Cards & MFA 12
13. PKCS
Public Key Cryptography Standards
Smart cards and HSMs do not have standard
implementation, but we need standard application
interface
PKCS allows for common API for application
development
Communication with smart card done through middleware
driver
Pkcs#11 is the most common
Hon1nbo - Smart Cards & MFA 13
14. OpenPGP Smart Card
Smart Card designed for PGP support
Cross platform support with various applications
Hon1nbo - Smart Cards & MFA 14
15. PIV
Personal Identity Verification
Federal Information Processing Standard (FIPS) 201
Government employee ID, universal ID in some countries
Card can contain:
Public/Private keys
Symmetrical keys
Biometric data
CA data
Advanced cryptographic processors
Implemented with PKCS15
Hon1nbo - Smart Cards & MFA 15
16. EMV
Europay, Mastercard, Visa
Replacement for Magnetic Stripe
Implements Smart Cards as payment token
Standard outside of USA
Hon1nbo - Smart Cards & MFA 16
17. Smart Card Attacks
Simple (practical)
PIN scraping
RAM Scrapers
Keyloggers
Fixed with a hardware secure pin entry device
Static key export
FDE needs volume key in memory for efficiency
Hardware HSM may fix this, but it is much slower
Advanced (nation state, extended physical access)
Simple/Differential Power Analysis
Hon1nbo - Smart Cards & MFA 17
18. Contactless
Smart cards using wireless communication to host
Usually NFC (Not RFID)
Challenge Response
Systems using this:
Contactless Credit Cards outside of US (part of EMV)
Enterprise access cards (including the SMU Student and
Faculty ID)
May or may not require a PIN to access secret
Target service performing authentication provides the
response to card challenge
Hon1nbo - Smart Cards & MFA 18
20. Multi-factor Authentication
@hon1nbo
Security Consultant @ Cigital, Inc.
hon1nbo@hackingand.coffee
If you’re in SSIG and interested in experimenting with
Smart Cards or other tokens, contact me so we can get a
group order.
Hon1nbo - Smart Cards & MFA 20