Hackers of India

Bring Your Own Token (BYOT) to Replace the Traditional Smartcards for Strong Authentication and Signing

By  Karthik Ramasamy  , Eric Hampshire  on 04 Dec 2019 @ Blackhat


Presentation Material

Abstract

Smartcards are a good way to enable strong authentication to enterprise network and applications as they provide identification, authentication, and ability to store cryptographic key information on the card using the embedded microchip and memory. The enterprises can provision the smartcards with a digital identity, in the form of a X509 certificate uniquely associated to a user, to enable smartcard logon to servers and Mutual TLS Authentication to services. Traditionally, hybrid cards that provides both the proximity card and smartcard functionalities are used for this purpose, so that the users can have a single card for both facility access as well as strong authentication to IT servers/applications.

There are some limitations and challenges with using the single card as both proximity and smartcard. The proximity cards can generally pre-provisioned in bulk as the association of the user identity to the proximity id can be done after the card is assigned to a user. But for the smartcard, the X509 certificates provisioned to the smartcards contain the user information that must be known at provisioning time. This slows down the provisioning process. There are also other challenges related to issuing replacement/temporary cards for lost or misplaced cards.

This whitepaper describes the solution implemented at Cisco, to replace the traditional hybrid smartcards with Bring Your Own Token (BYOT) model, to overcome the limitations and challenges with the traditional smartcard solutions. The solution enables users to bring their own USB tokens that are compatible with Personal Identity Verification (PIV) and Chip Card Interface Device (CCID) standards, to self-provision the digital identities needed to enable strong authentication, signing and other cryptographic functions.

AI Generated Summarymay contain errors

Here is a summary of the content:

The conversation revolves around the use of Hardware Security Modules (HSMs) and tokens for secure authentication. The speaker mentions that their HSMs are FIPS certified and have not been specifically tested for side-channel attacks,2019 Black Hat conference in Vegas, , but they rely on the UB key’s strong security features.

The discussion also touches on the company’s policy of requiring employees to purchase their own tokens,, which can be obtained through various channels, including an internal purchasing portal. This approach has been more cost-effective than the previous smart card program, which had higher costs and annual fees.

Finally, the conversation turns to the practice of using physical tokens for both physical and logical access. The speaker acknowledges that this can add complexity, but notes that it’s essential to have a PIN policy in place to protect against unauthorized access, even if the token is left plugged into the computer.