Authentication tokens are used to prove one's
identity electronically .
sometimes a hardware token, security token, USB token,
cryptographic token, software token, virtual token etc.
• The token use a password to prove that the customer is
who they claim to be.
• The token acts like an electronic key to access
• Some may store cryptographic keys,
1. digital signature
2. biometric data
3. fingerprint minutiaer.
Time-synchronized one-time passwords
Time-synchronized one-time passwords change constantly at a set time interval,
e.g. once per minute. To do this some sort of synchronization must exist between
the client's token and the authentication server.
Mathematical-algorithm-based one-time passwords
Another type of one-time password uses a complex mathematical algorithm,
such as a hash chain, to generate a series of one-time passwords from a secret
shared key. Each password is unguessable, even when previous passwords are
•Connected tokens are tokens that must be physically
connected to the computer with which the user is
•Tokens in this category automatically transmit the
authentication information to the client computer once a
physical connection is made, eliminating the need for the
user to manually enter the authentication information
• To use a connected token, the appropriate input device
must be installed. The most common types of physical
tokens are smart cards and USB tokens, which require a
smart card reader and a USB port
• The number must be copied into the PASSCODE
field by hand.
• Disconnected tokens have neither a physical nor
logical connection to the client computer.
• They typically do not require a special input device,
and instead use a built-in screen to display the
generated authentication data, which the user enters
manually themselves via a keyboard or keypad.
MAGNETIC STRIPE CARDS
Standard technology for bank cards,
driver’s licenses, library cards, and so
Uses a laser to read and write the card
• Can store:
• Cannot process Info
ITECH 7215 Information Security
• Store information
• Carry out local processing
• Perform Complex Calculations
WHAT IS A SMART
A Smart card is a plastic card about
the size of a credit card, with an
embedded microchip that can be
loaded with data.
The standard definition of a a
smart card, or integrated circuit
card (ICC), is any pocket sized
card with embedded integrated
CONTACT SMART CARDS
Requires insertion into a smart card
reader with a direct connection
This physical contact allows for
transmission of commands, data,
and card status to take place
(Card Number / Name / Validity, etc.)
ELECTRICAL SIGNALS DESCRIPTION
: Clocking or timing signal (optional use by the
GND : Ground (reference voltage).
VPP : Programming voltage input (deprecated /
optional use by the card).
I/O : Input or Output for serial data to the integrated
circuit inside the card.
VCC : Power supply input
: reset signal supplied from the interface deviceRST
• Central Processing Unit: Heart of the Chip
• All the processing of data preforms in here.
• security logic: detecting abnormal
e.g. low voltage
• serial i/o interface: contact to the
• test logic: self-test procedures
•typically 16 bytes
•future 32/64 bytes
•‘Buffer memory’ of the processor
•typically 512 bytes
•future 1 byte
•typically 8 bytes
•future 32 bytes
•connection between elements of the chip
•8 or 16 bits wide
SMART CARD READERS
Computer based readers
Connect through USB or COM (Serial) ports
Usually with a small screen, keypad, printer,
often also have biometric devices such as thumb
WHY SMART CARDS?
Security: Data and codes on the card are
encrypted by the chip maker.
Trust: Minimal human interaction.
Less Paper work: Eco-Friendly
WHY USE SMART CARDS?
Can store currently up to 7000 times more data than a
magnetic stripe card.
Information that is stored on the card can be updated.
Magnetic stripe cards are vulnerable to many types of frauds
A single card can be used for multiple applications (cash,
identification, building access, etc.)
Smart cards provide a 3-fold approach to authentic
• Pin (password)
• Cryptographic verification
Terminal asks the user to provide a password.
Password is sent to Card for verification.
permit user authentication.
Terminal verify card (INTERNAL AUTH)
Terminal sends a random number to card to be
hashed or encrypted using a key.
Card provides the hash or cyphertext.
Terminal can know that the card is authentic.
Card needs to verify (EXTERNAL AUTH)
Primarily for the “Entity Authentication”
Finger print identification.
Features of finger prints can be kept on the card (even verified
on the card)
Photograph/IRIS pattern etc.
Such information is to be verified by a person. The information
can be stored in the card securely
SMART CARD APPLICATIONS
Banking & Finance
Pay Phone Cards
Retailer Loyalty Programs
STUDENT ID CARD
A student ID card, containing a variety of applications
such as electronic purse (for vending machines, laundry
machines, library card, and meal card).
Proven to be more reliable than the OTHER cards.
Can store up to thousands of times of the information than the magnetic
Reduces tampering through high security mechanisms.
Can be disposable or reusable.
Performs multiple functions.
Has wide range of applications (e.g., banking, transportation, healthcare...)
Compatible with portable electronics (e.g., PCs, telephones...)
In the example of internet banking,
if the PC is infected with any kind of malware, the security model is broken.
Malware can override the communication (both input via keyboard and output via
application screen) between the user and the internet banking application (eg.
browser). This would result in modifying transactions by the malware and
unnoticed by the user. There is malware in the wild with this capability (eg. Trojan.