Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Smartcards and Authentication Tokens

authentication tokens and smartcards

  • Login to see the comments

  • Be the first to like this

Smartcards and Authentication Tokens

  2. 2.  Authentication tokens are used to prove one's identity electronically . sometimes a hardware token, security token, USB token, cryptographic token, software token, virtual token etc.
  3. 3. • The token use a password to prove that the customer is who they claim to be. • The token acts like an electronic key to access something. • Some may store cryptographic keys, 1. digital signature 2. biometric data 3. fingerprint minutiaer.
  4. 4. Time-synchronized one-time passwords Time-synchronized one-time passwords change constantly at a set time interval, e.g. once per minute. To do this some sort of synchronization must exist between the client's token and the authentication server. Mathematical-algorithm-based one-time passwords Another type of one-time password uses a complex mathematical algorithm, such as a hash chain, to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known.
  5. 5. Connected tokens •Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. •Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information • To use a connected token, the appropriate input device must be installed. The most common types of physical tokens are smart cards and USB tokens, which require a smart card reader and a USB port
  6. 6. • The number must be copied into the PASSCODE field by hand. • Disconnected tokens have neither a physical nor logical connection to the client computer. • They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a keyboard or keypad. DISCONNECTED TOKENS
  8. 8. MAGNETIC STRIPE CARDS Standard technology for bank cards, driver’s licenses, library cards, and so on……
  9. 9. OPTICAL CARDS Uses a laser to read and write the card Photo ID Fingerprint
  10. 10. MEMORY CARDS • Can store: Financial Info Personal Info Specialized Info • Cannot process Info ITECH 7215 Information Security
  11. 11. MICROPROCESSOR CARDS/SMART CARD • Store information • Carry out local processing • Perform Complex Calculations
  12. 12. WHAT IS A SMART CARD? A Smart card is a plastic card about the size of a credit card, with an embedded microchip that can be loaded with data.
  13. 13.  The standard definition of a a smart card, or integrated circuit card (ICC), is any pocket sized card with embedded integrated circuits.
  14. 14. CONTACT SMART CARDS  Requires insertion into a smart card reader with a direct connection  This physical contact allows for transmission of commands, data, and card status to take place
  15. 15. CARD ELEMENTS Magnetic Stripe Chip Embossing (Card Number / Name / Validity, etc.) Logo Hologram
  16. 16. ELECTRICAL SIGNALS DESCRIPTION : Clocking or timing signal (optional use by the card). GND : Ground (reference voltage). VPP : Programming voltage input (deprecated / optional use by the card). I/O : Input or Output for serial data to the integrated circuit inside the card. VCC : Power supply input : reset signal supplied from the interface deviceRST CLK
  17. 17. WORKING STRUCTURE • Central Processing Unit: Heart of the Chip • All the processing of data preforms in here. CPUCPU
  18. 18. WORKING STRUCTURE • security logic: detecting abnormal conditions e.g. low voltage CPUCPU security logic security logic
  19. 19. WORKING STRUCTURE • serial i/o interface: contact to the outside world CPUCPU security logic security logic serial i/o interface serial i/o interface
  20. 20. WORKING STRUCTURE • test logic: self-test procedures CPUCPU security logic security logic serial i/o interface serial i/o interface test logic
  21. 21. WORKING STRUCTURE ROM: •self-test procedures •typically 16 bytes •future 32/64 bytes CPUCPU security logic security logic serial i/o interface serial i/o interface test logic ROM
  22. 22. WORKING STRUCTURE RAM: •‘Buffer memory’ of the processor •typically 512 bytes •future 1 byte CPUCPU security logic security logic serial i/o interface serial i/o interface test logic ROM RAM
  23. 23. WORKING STRUCTURE EEPROM: •cryptographic keys •PIN code •biometric template •typically 8 bytes •future 32 bytes CPUCPU security logic security logic serial i/o interface serial i/o interface test logic ROM RAM EEPROM
  24. 24. WORKING STRUCTURE Databus: •connection between elements of the chip •8 or 16 bits wide CPUCPU security logic security logic serial i/o interface serial i/o interface test logic ROM RAM EEPROM Databus
  25. 25. SMART CARD READERS Computer based readers Connect through USB or COM (Serial) ports Dedicated terminals Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.
  26. 26. WHY SMART CARDS? Security: Data and codes on the card are encrypted by the chip maker. Trust: Minimal human interaction. Portability. Less Paper work: Eco-Friendly
  27. 27. WHY USE SMART CARDS?  Can store currently up to 7000 times more data than a magnetic stripe card.  Information that is stored on the card can be updated.  Magnetic stripe cards are vulnerable to many types of frauds  A single card can be used for multiple applications (cash, identification, building access, etc.)  Smart cards provide a 3-fold approach to authentic identification: • Pin (password) • Cryptographic verification • Biometrics
  28. 28. PASSWORD VERIFICATION  Terminal asks the user to provide a password.  Password is sent to Card for verification.  permit user authentication.
  29. 29. CRYPTOGRAPHIC VERIFICATION  Terminal verify card (INTERNAL AUTH)  Terminal sends a random number to card to be hashed or encrypted using a key.  Card provides the hash or cyphertext.  Terminal can know that the card is authentic.  Card needs to verify (EXTERNAL AUTH)  Primarily for the “Entity Authentication”
  30. 30. BIOMETRIC TECHNIQUES  Finger print identification.  Features of finger prints can be kept on the card (even verified on the card)  Photograph/IRIS pattern etc.  Such information is to be verified by a person. The information can be stored in the card securely
  31. 31. SMART CARD APPLICATIONS Government programs  Banking & Finance  Mobile Communication  Pay Phone Cards  Transportation  Electronic Tolls  Passports  Electronic Cash  Retailer Loyalty Programs  Information security
  32. 32. STUDENT ID CARD  A student ID card, containing a variety of applications such as electronic purse (for vending machines, laundry machines, library card, and meal card).
  33. 33. ADVANTAGES  Proven to be more reliable than the OTHER cards.  Can store up to thousands of times of the information than the magnetic stripe card.  Reduces tampering through high security mechanisms.  Can be disposable or reusable.  Performs multiple functions.  Has wide range of applications (e.g., banking, transportation, healthcare...)  Compatible with portable electronics (e.g., PCs, telephones...)
  34. 34. DISADVANTAGES . In the example of internet banking, if the PC is infected with any kind of malware, the security model is broken. Malware can override the communication (both input via keyboard and output via application screen) between the user and the internet banking application (eg. browser). This would result in modifying transactions by the malware and unnoticed by the user. There is malware in the wild with this capability (eg. Trojan. Silentbanker).
  35. 35. THANK YOU