Security Tokens: Counterfeiting and Manipulation

In our previous articles, we have explained security tokens such as YubiKey. A security token is a piece of hardware used to identify and authenticate users. Occasionally, it is also used to refer to software tokens. They are usually part of a system of access control with two-factor authentication. Other security features must be used for authentication against misuse with this piece of hardware.

Authentication Process of Security Tokens

1. The user initiates the data exchange between the token and the verification system, e.g. by holding the token in front of a reader.
2. The reader identifies the token by its unique identification number(s), such as its type number, a media serial number, a carrier registration number, and/or a user class number.
3. The data set read by the token is compared by the verification system with corresponding local reference data according to a well-defined verification procedure: The authentication of the token is carried out by means of challenge-response authentication, possibly further check data as additional security features, such as a PIN, are requested from the carrier of the token.
4. To be on the safe side, the local reference data is compared with other reference data from a database from a remote server (e.g. via a leased line or a protected dial-up line).
5. In the event of an invalid token or invalid further reference data, the verification system rejects further access.
6. To trace authentication, event data from the check process is transmitted back to the server.
7. The verification system approves the permissible use for the bearer of the token, such as functions and/or data.

Security, Counterfeiting and Manipulation

For security-critical applications, a security token must be a unique item that is specially secured against manipulation and duplication or counterfeiting.

The security token must generate session keys to be used once from a fixed secret stored in the token, the so-called primary key. For this purpose, a cryptoprocessor is used, which are specially equipped microcontrollers that are equipped with additional security functions. These safety functions primarily protect against unwanted readouts and reverse engineering, for example by completely missing conventional development interfaces such as JTAG from the circuit. Cryptographic methods are used for this purpose. The cryptographic operations then take place within the chip.

Methods that only allow identification but not authentication are also used in practice for authentication. A code of such tokens is not forgery-proof, as the identification feature can be freely read and reproduced. These processes include solutions with passive RFID chips, which have a unique serial number and have been developed according to various ISO standards for use in electronic labels (tags).

Insecure in the sense of copyable are pure storage solutions with chip cards, magnetic stripe cards, barcodes, key files on data carriers such as USB sticks and the classic key. An attack can also be made on the communication between an (otherwise secure) token and the reader, in the simplest case via a replay attack. Freely accessible (USB) connection cables make it easy to connect data loggers. In particular, if there is no mechanical and/or visual control of the token by the reader or operating personnel, devices that do not need to resemble the original token in type and size can also be used to overcome the system. Radio transmissions can often be recorded at great distances and thus offer a large attack surface for manipulation.

There will never be an absolutely secure solution with a single authentication factor, every security procedure can be overcome. The design of the token and the type of (mechanical, electrical, magnetic, optical, …) Data transmission has a major impact on protection against manipulation. For example, a smart card can be completely retracted and shielded by a reader. Likewise, the design of a reader or customer terminal as a compact unit that is protected against theft, replacement and other manipulation contributes significantly to security.

Discussion of Solutions

The differentiation of the use cases is a prerequisite for a meaningful assessment of security, for example:

1. Access control from public spaces
2. Access control in public spaces
3. Access control in a well-secured room
4. Access control with good separation from the environment

All applications in public spaces are inevitably endangered by unauthorized third parties. Claims to the contrary rely on restrictions that are usually not explicitly mentioned, such as the maximum usable reading distance. The ease of use always goes hand in hand with hazards. Generalizations are not helpful.