Hardware Token

Identification and Authentication

Jason Andress , in The Nuts of Data Security (Second Edition), 2014

Hardware tokens

A standard hardware token is a modest device, typically in the full general form factor of a credit card or keychain play a joke on. The simplest hardware tokens expect identical to a USB wink drive and contain a small corporeality of storage property a document or unique identifier, and are often called dongles. More circuitous hardware tokens incorporate LCD displays, as shown in Figure two.4, keypads for inbound passwords, biometric readers, wireless devices, and additional features to enhance security.

Figure 2.4. Hardware token.

Many hardware tokens incorporate an internal clock that, in combination with the device'due south unique identifier, an input Pin or password, and potentially other factors, is used to generate a code, usually output to a brandish on the token. This code changes on a regular ground, oft every xxx   s. The infrastructure used to keep track of such tokens tin predict, for a given device, what the proper output volition be at whatsoever given fourth dimension and can utilize this to authenticate the user.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128007440000026

Identification and Authentication

Jason Andress , in The Basics of Information Security, 2011

Hardware Tokens

A standard hardware token is a small device, typically in the full general grade factor of a credit card or keychain fob. The simplest hardware tokens look identical to a USB flash drive and comprise a small amount of storage belongings a certificate or unique identifier, and are ofttimes chosen dongles. More complex hardware tokens incorporate LCD displays, equally shown in Figure 2.four, keypads for inbound passwords, biometric readers, wireless devices, and additional features to raise security.

Effigy 2.iv. Hardware Token

Many hardware tokens contain an internal clock that, in combination with the device'southward unique identifier, an input Pin or password, and potentially other factors, is used to generate a code, usually output to a display on the token. This lawmaking changes on a regular basis, often every thirty seconds. The infrastructure used to continue track of such tokens tin can predict, for a given device, what the proper output will be at any given time, and can use this to authenticate the user.

Alert!

The simplest variety of hardware tokens represents merely the something you have factor and is thus susceptible to theft and potential apply by a knowledgeable criminal. Although these devices do correspond an increased level of security for the user'due south accounts, and are generally non useful without the account credentials with which they are associated, we do need to remember to safeguard them.

Hardware tokens represent the something you lot have authentication factor, sometimes implementing something you know or something you are as well. In the instance of uncomplicated hardware tokens that only provide the something you accept factor, the security provided by the device is but every bit stiff equally our ability to forestall information technology from being stolen, as it could easily exist used by an attacker. In the case of more complex tokens that include the adequacy to enter a PIN or read a fingerprint, the security of the device is enhanced considerably. In order for an attacker to employ a stolen multifactor device, the assaulter not only would demand the hardware token itself, but likewise would need to either subvert the infrastructure that was synchronized with the information output from the device, or excerpt the something you lot know and/or something you lot are factor(s) from the legitimate possessor of the device.

Identification and Authentication in the Real Earth

Identification and hallmark can be seen at piece of work all over the earth on a daily basis. One of the nigh common examples that we can signal out is identity cards, unremarkably a commuter's license in the United States. Such cards are routinely used to prove our identity when making purchases, dealing with government officials and offices, registering for schoolhouse, and performing a multifariousness of other tasks. In many cases, identification cards are used equally a method of verifying our identity while doing these things. Although this is a weak method of verification, it is a commonly used one.

We can encounter authentication at work when we are carrying out a variety of activities besides. When we use a username and password to log on to a estimator at work, or a Web site, we are using the something yous know factor. When nosotros enter a Pin and withdraw money from an ATM, we are using the something you know and something you have factors, and we are using multifactor hallmark. Many people volition not get beyond the use of these two factors in their daily lives.

For those of us who have admission to more secure facilities, such as information centers, financial institutions, or military installations, nosotros may come across more than involved methods of hallmark. In some such environments, we will see the use of biometrics, the something you are factor. Many such facilities accept moved to the use of iris scanners, at present an unobtrusive piece of equipment hanging on the wall near the surface area to exist accessed and only requiring a glance at the lens of the device to proceed. This type of device not simply is easy to apply only also tends to be more acceptable to users, as we practise not need to actually touch it in order for information technology to work.

Nosotros can besides see the use of hardware tokens increasing, fifty-fifty for the full general public. We can at present purchase an inexpensive token from VeriSign A that will provide an extra layer when we log in to Web sites run by companies such as eBay, PayPal, GEICO, T-Mobile, RadioShack, and hundreds of others. Owing to the large amount of online fraud and identity theft that nosotros see now, whatsoever measures that nosotros can utilize on both personal and organizational levels, such as good countersign hygiene, stiff passwords, and the utilise of hardware tokens, volition help to put u.s. on a stronger security basis all the way around.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597496537000025

Context-Enlightened Multifactor Authentication Survey

Emin Huseynov , Jean-Marc Seigneur , in Computer and Information Security Handbook (3rd Edition), 2017

Hardware Tokens

I-time passwords (OTP), as generated by a standalone hardware token, tin be considered a classic method of multifactor authentication. In this example, this hardware device is serving equally a proximity context proving the user has access to a physical device. For our survey, the type of the algorithms used to generate an OTP is not critical; yet, we can review a number of modern hardware types to compare with each other. Most token producers are moving or have already moved to hash bulletin authentication code (HMAC)-based [HMAC-based OTP(HOTP)] standard [30], and in almost of cases its time-based variant, fourth dimension-based OTP (TOTP) and the principle of TOTP hardware or software tokens are exactly the same; therefore nosotros review some of the tokens that do not use TOTP as their algorithm. Hardware tokens tin can be of ii types: (1) asunder tokens, divide devices that have no straight connection to client system (users have to blazon the OTPs manually using keyboards); and (2) continued tokens, which transmit the generated OTPs to the client via a physical connectedness, usually universal serial bus (USB).

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780128038437000508

Preventing Arrangement Intrusions

Michael W , in Network and System Security (2d Edition), 2014

Tokens

A token is a device that employs an encrypted fundamental for which the encryption algorithm—the method of generating an encrypted password—is known to a network's authentication server. In that location are both software and hardware tokens. The software tokens can be installed on a user's desktop system, in the cellular phone, or on the smart phone. The hardware tokens come in a variety of form factors, some with a single button that both turns the token on and displays its internally generated passcode; others take a more elaborate numerical keypad for PIN input. If lost or stolen, tokens can hands be removed from the organization, quickly rendering them completely ineffective. And the passcodes they generate are of the "one-time-passcode," or OTP, multifariousness, meaning that a generated passcode expires once information technology's been used and cannot be used again for a subsequent logon attempt.

Tokens are either programmed onsite with token programming software or offsite at the time they are ordered from their vendor. During programming, functions such as a token'due south cryptographic key, password length, whether a PIN is required, and whether it generates passwords based on internal clock timing or user Pivot input are written into the token's memory. When programming is consummate, a file containing this information and the token'south serial number are imported into the authentication server so that the token's characteristics are known.

A token is assigned to a user by linking its serial number to the user's record, stored in the system database. When a user logs onto the network and needs admission to, say, her email, she is presented with some claiming that she must answer using her assigned token.

Tokens operate in ane of three ways: fourth dimension synchronous, event synchronous, or challenge-response (also known as asynchronous).

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/commodity/pii/B9780124166899000022

Understanding Cybercrime Prevention

Littlejohn Shinder , Michael Cantankerous , in Scene of the Cybercrime (Second Edition), 2008

Assessing Security Solutions

Once the company has identified and documented its security needs and established a working budget for addressing those needs, information technology is possible to appraise solutions and determine which one(s) encounter those needs within that budget. Network security solutions can more often than not be divided into three broad categories: hardware, software, and policy-only solutions.

Hardware Solutions

Hardware-based security solutions involve calculation some physical device such as a dedicated firewall to protect the network or a smart card reader for logon authentication. Removal of diskette and CD/DVD drives from desktop computers to prevent unauthorized copying of files to removable media or introduction of viruses is likewise a hardware-based solution. Other security hardware devices include:

Keystroke capture devices for monitoring computer utilise

Hardware tokens for storing security keys

Cryptographic hardware devices for offloading the processing of crypto operations

Biometric hallmark devices such as fingerprint or retina scanners

Hardware solutions can be more costly than software-simply solutions, but they offer several advantages. Hardware security is usually more secure considering there is less exposure of security information such every bit private keys, and it is more difficult to tamper with hardware than software. Hardware solutions also often offer faster performance.

Software Solutions

Software solutions include IDSes, parcel/excursion/application filtering software, and security auditing software, also as software firewall packages such as Microsoft'southward Internet Security and Acceleration (ISA) Server, which combine these functions. Other software security solutions are antivirus (AV) programs such every bit those made past Symantec, "spyware" used to monitor how computers are being used (including packet sniffer software that can capture and analyze network traffic), and network management packages that incorporate security features. Operating system and application "fixes" that patch security holes can also be placed in this category.

Policy Solutions

Most hardware and software security measures have accompanying policies that prescribe when and how they are to be deployed and used, but many security measures consist of policies simply. For example:

Policies that prohibit users from disclosing their passwords to anyone else

Policies that require users to lock their workstations when they get out their desks

Policies that require users to get permission before installing whatever software on their machines

Policies that prohibit users from assuasive anyone else to use the calculator after they've logged on

Of course, in many cases policies volition exist enforced via software or hardware. For example, a policy that prohibits users from copying network files to their local disks can exist enforced by permissions that allow read-merely access. A policy that requires users to change their passwords every 30 days can be enforced by setting passwords to expire later that time period.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597492768000121

Policy-Driven System Management

Henrik Plate , ... Stefano Paraboschi , in Computer and Information Security Handbook (Third Edition), 2013

Policy Specification and Harmonization

This application offers the ambassador access to the set of requirements specified in the previous phase and supports him or her in constructing a drove of instances of the Information technology Security Policy model able to represent the requirements. The IT Security Policy model focuses on representing AC and DP requirements. The AC function supports the high-level formal description of the authentication and authorization profiles of applications.

For the authentication contour, the model considers the description of a variety of hallmark techniques. The virtually common solution is to use usernames and passwords, but richer solutions based on certificates, hardware tokens, and cryptographic credentials are supported. The model distinguishes between "direct" authentication solutions, in which the system managing the hallmark phase and verifying the correctness of the claimed identity of the user is the same that will offer the services, and "indirect" authentication solutions, in which some back up is received by external systems responsible for the secure retrieval of the protected credential for the complete execution of the authentication stage.

For the authorization profile, the IT Security Policy model permits the representation of modern AC models. The central concepts of this part are organisation say-so and role say-so. These two constructs are integrated, and the possibility is offered of expressing declarative restrictions on the subject and the resource of an authorization. Authorizations have a sign, positive or negative; in general, DAC, MAC, RBAC, and ABAC models can be represented. The expressivity of the potency model is loosely comparable to what can exist achieved with XACML, even if the different assumptions about the structure of subjects and resources exercise not permit a formal containment human relationship to exist established between models.

Once the IT policy has been divers, reasoning services are offered to verify whether the policy satisfies a number of consistency constraints. The checks that are supported focus on identifying modality conflicts, redundant authorizations, and violations of SoD constraints. Modality conflicts arise when rules with conflicting signs utilise to the same access request and a specified conflict resolution policy is not able to institute which rules have to be applied. The detection requires subject and resource hierarchies to exist expanded that are used in designing the IT Policy. Redundant authorizations are detected by looking for authority rules that are dominated past other rules. These redundant rules tin be omitted from the It policy without changing organisation beliefs. SoD constraints are specified using negative role authorizations, and violations are detected by identifying subjects that are able to acquire two roles denoted as alien. All checks are implemented thanks to the employ of Semantic Web tools, translating the It policy into an OWL representation and then invoking adequate reasoning services. The upshot of this phase is a harmonized Information technology policy that is passed to the next phase.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128038437000260

Security Issues and Measures

Elizabeth Rhodenizer , in Encyclopedia of Information Systems, 2003

Ii.A Authentication

The authentication service ensures that the user's identification is valid. The iii forms of authentication are (ane) hallmark through something that the user knows, (2) authentication through something that user has, and (three) authentication through something the user is. The typical standard of identity verification through the use of a password covers something the user knows simply information technology is bereft in about environments to allow a organisation to utilize a password as the but form of hallmark. A combination of ii or three forms of authentication would provide more force depending on the mechanisms used and the system existence protected.

The IT mechanisms that can be incorporated into securing hallmark services include passwords, software and hardware tokens, and biometrics. This list is not limited to these specific mechanisms since the field of Information technology is continuously growing and expanding.

II.A.1 Passwords

A password associated with a user proper name is not secure enough for all applications. Some factors that strengthen the protection of a password authentication method include the length, the variability, and the randomness of the password. The length and variability of the password directly bear on the number of permutations. The variability includes the number of different selections that tin can be chosen for each segment of the password. Tabular array 2 shows that, as the length of the password and number of permutations increase, the number of different password possibilities increase.

Table 2. Number of Password Permutations

Password length X Alpha 26x Alpha/ numeric 36x Uppercase/ alpha/numeric 62x
6 3.09E8 two.eighteenE9 five.68E10
8 2.09E11 ii.82E12 2.xviiiE14
10 1.41E14 iii.66E15 8.39E17

Having a large number of possible permutations is no longer plenty with the current calculating power that is available. It is now essential to a organisation'due south security to have the countersign run through a number of hashes in order to make the task of slap-up the password more difficult. The difficulty in cracking this hashed password will lead to longer computational times. Tabular array 3 shows how many days information technology would take to run through all possible permutations bold a computing ability of 75 passwords per second for a password that has been hashed 5000 times.

Table 3. Time to Attempt All Possible Password Permutations a

Number of password combinations Time (days) for 1 hash Time (days) for 5000 hashes
iii.09E8 0.01 47.69
ii.xviiiE9 0.07 1051.31
5.68E10 1.75 8765.43
2.09E11 vi.45 32253.09
2.82E12 87.04 435185.19
2.eighteenE14 6728.39 33641975.31
ane.41E14 4351.85 21759259.26
3.66E15 112962.96 564814814.81
8.39E17 25895061.73 129475308641.98
a
Assuming calculating power of 75 passwords per second for a password that has been hashed 5000 times and a computing power of 375,000 passwords per second for a password that has been hashed one time.

2.A.2 Software and Hardware Tokens

Software and hardware tokens strengthen an hallmark method when used in conjunction with a password. Tokens incorporate something the user has with the password, something the user knows. This provides non only strength in the access method merely increases the difficulty of having an attacker masquerade as the user. The attacker would need to take possession of the token besides every bit scissure the associated password. This assail should be mitigated by policies and procedures, which dictate due diligence with respect to the storage of the token and selection of a countersign.

II.A.3 Biometrics

Biometrics is the assay and quantification of human biological characteristics to digital format. The concrete characteristics typically used, every bit stated in the InfoSysSec Security Portal, include finger, face, iris, retina, hand, and voice. Each characteristic focuses on the associated unique traits in lodge to perform a biometric browse equally listed in Table four. There are four steps to a biometric scan, which differ slightly for registering and authenticating a user to a organisation.

Table 4. Physical Characteristics and Respective Unique Traits

Physical characteristic Details
Finger Finger impress
Face Upper outline of the eye socket
Cheekbone
Sides of the mouth
Iris Rings
Furrows
Freckles
Cornea
Retina Blood vessels in the back of the middle
Paw Length
Width
Thickness
Surface area of the manus and fingers
Voice Voice print

On registration of a user in a biometric system, the person'southward identification and potency must be verified in a secure and undisputable mode. This method will be dictated by an organization's policies. Once the identity is validated, the biometric image must outset exist captured; this process is called enrollment. This image should not exist held in the device beyond the fourth dimension that is required to excerpt the unique characteristics of the physical attribute. The extraction would apply predetermined points of the feature as input data. The unique characteristics extracted will depend on the attribute used for authentication. The digital format must exist stored securely for hereafter comparisons. On authorization of a user to the biometric system the user submits the required characteristic to the scanning device. The unique characteristic is scanned, candy, and represented in a digital format. A comparison between the secure repository and the digital format of the physical trait is performed. Access is granted or denied given a lucifer or a failure, respectively. For more information about biometrics refer to the InfoSysSec Security Portal at http://world wide web.infosyssec.com/infosyssec/biometl.htm

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B0122272404001568

Intranet Security

Bill Mansoor , in Network and System Security (2d Edition), 2014

ii Security Considerations

Quite a few risks need to be resolved when budgeted intranet security with regard to mobile devices:

i.

Risk of size and portability—Mobile devices are prone to loss. An Apple staffer's "loss" of a fourth-generation iPhone to a Gizmodo staffer during a personal outing to a bar is well known. There is no denying that smartphones because of their size are easy theft targets in the wrong place at the wrong time. Loss of a few hundred dollars of hardware, however, is zilch when an invaluable client-list is lost and falls into a competitor'southward hands. These are nightmare scenarios that keep CIOs up at night.

2.

Risk of admission via multiple paradigms—Mobile devices tin access unsafe sites using cellular networks and download malware into storage. The malware in turn can bypass the company firewall to enter the visitor network to wreak havoc. Onetime paradigms of security by controlling security using perimeter network access are no longer feasible.

3.

Social media risks—By definition, mobile devices are designed in such a way that they can easily access social media sites, which are the new target for malware propagating exploits. Existence personal devices, mobile media devices are much more than at gamble of getting exploits sent to them and being "pw" (so to speak).

These issues tin be approached and dealt with by using a solid set of technical as well as authoritative controls:

1.

Institute a customized corporate usage policy for mobile devices —This policy/procedure must be signed by new hires at orientation and by all employees who enquire for access to the corporate VPN using mobile devices (even personal ones). This should ideally be in the form of a contract and should be signed by the employee before a portion of the employee's device storage is partitioned for access and storage of corporate data. Normally, there should be yearly grooming highlighting the do's and dont's of using mobile devices in accessing a corporate VPN. The kickoff thing emphasized in this training should be how to secure company information using passwords and if toll-effective, 2-factor authentication using hardware tokens.

2.

Found a policy for reporting theft or misplacement—This policy should place at the very least how rapidly ane should report thefts of mobile devices containing visitor data and how chop-chop remote wipe should exist implemented. The policy tin optionally particular how the mobile devices feature (app) enabling location of the misplaced stolen device volition proceed.

iii.

Institute a well-tested SSL VPN for remote access—Reputed vendors having experience with mobile device VPN clients should be chosen. The quality, functionality, adaptability of usage (and proven reputation) of the VPN clients should be fundamental in determining the selection of the vendor. The advantage of an SSL VPN compared to IPsec or L2TP for mobile usage is well known. The SSL VPNs should be capable of supporting ii-cistron authentication using hardware tokens. For example, Cisco's "Cisco AnyConnect Secure Mobility Client" and Juniper's "Junos Pulse App" are gratis app downloads available within the Apple iTunes App store. Other VPN vendors will also have these apps bachelor, and they tin be tested to run into how smooth and functional the access process is.

4.

Plant inbound and outbound malware scanning—Entering scanning should occur for obvious reasons, simply outbound scanning should also be scanned in instance the company's electronic mail servers become SPAM relays and get blacklisted on sites such every bit Lashback or get blocked to external sites by forcefulness.

5.

Establish WPA2 encryption for Wi-Fi traffic admission—WPA2 for now is the best encryption available compared to WEP encryption, which is dated and non recommended.

6.

Establish logging metrics and granular controls—Keeping regular tabs on information nugget admission by users and configuring alerting on unusual activity (such as big-calibration access or exceeded failed-logon thresholds) is a good mode to prevent information leakage.

Mobile devices accessing enterprise intranets using VPNs are bailiwick to the same factors equally whatever other device remotely accessing VPNs, namely (see Figure eight.3):

Figure 8.iii. Mobile device VPN access to visitor network using token authentication

 Courtesy: Apple Inc.
1.

Protection of data while in transmission

ii.

Protection of information while at residuum

three.

Protection of the mobile device itself (in case it fell into the wrong hands)

4.

App security

At a minimum, the following standards are recommended for managing tablets and smartphones with Mobile Device Management (MDM) appliances:

1.

Protection of data while in manual: Transmission security for mobile devices is concerned primarily with VPN security as well as Wi-Fi security. With regard to VPNs, the primary preference for virtually mobile devices should exist for Web-based or SSL VPNs. The reason is that IPsec and L2TP VPN implementations are all the same buggy as of this writing on all merely iOS devices (iPhones and iPads). SSL VPNs tin can also be implemented equally clientless. Regarding Wi-F,i the choice is to simply configure WPA2 Enterprise using 128-bit AES encryption for mobile devices connecting via Wi-Fi. Again, MDM appliances can be used to push out these policies to the mobile devices.

ii.

Protection of information while at residuum: The basis of protecting stored information on a mobile device is the password. The stronger the password, the harder to break the encryption. Some devices (including the iPad) back up 256-bit AES encryption. About recent mobile devices also back up remote wipe and progressive wipe. The latter feature volition progressively increase the time of the lockout duration until finally initiating an automatic remote wipe of all data on the device. These wipe features are designed to protect company data from falling into the wrong easily. All these features tin can be queried and are configurable for mobile devices via either Exchange ActiveSync policies or configuration policies from MDM appliances.

iii.

Protection of the mobile device: Passwords for mobile devices have to adjust to the same corporate "strong password" policy equally for other wired network devices. This means the password length, content (minimum of eight characters, alphanumeric, special characters etc.), password rotation and expiry (retrieve: final three and every two to three months), and password lockout (iii to five attempts) have to be enforced. Complete sets of configuration profiles tin can be pushed to tablets, smartphones, and iPads using MDM appliances specifying app installation privileges, YouTube, and iTunes content ratings permissions, among many others.

4.

App security: In contempo versions of both Android and iOS, significant changes have been made so that app security has go more than bolstered. For example, in both OSs, apps run in their own silos and can't access other app or system information. While iPhone apps are theoretically capable of accessing the users' contact information and too their locations in some cases, Apple's signing process for every app that appears in the iTunes app shop takes care of this. Information technology is possible on the iOS devices to encrypt data using either software methods such as AES, RC4, 3DES, or hardware accelerated encryption activated when a lockout occurs. In iOS, designating an app as managed can prevent its content from being uploaded to iCloud or iTunes. In this style, MDM appliances or Substitution ActiveSync tin prevent leakage of sensitive company data.

While there are quite a few risks in deploying mobile devices within the Intranet, with careful configuration these risks can be minimized to the point where the myriad benefits outweigh the risks. 1 thing is certain: These mobile devices and the efficiency they promise are for real, and they are not going away.

Empowering employees is the principal thought in the popularity of these devices. And corporate IT will only serve its own involvement by designing enabling security effectually these devices and letting employees be more than productive.

Read total chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780124166899000083