Jesper Writes About Security

“Smart card” is actually a bad term. The proper term for what we mean here is “hardware-backed certificate authentication” but for the obvious reasons, we’ll probably just stick to “smart card”. Smart cards are simply a hardware device with an integrated circuit (IC) on them. In fact, you probably have at least one in your wallet. Virtually all credit cards now include an IC along with a set of metallic contacts on one side. However, you may also find contactless (RFID) based smart cards, smart cards in a form factor indistinguishable from a USB flash drive, and multi-purpose devices that include smart card functionality, such as most   Yubico YubiKeys . Today, something like   10 billion chips suitable for smart cards are manufactured each year .  When used in an authentication context smart cards typically would be ones that implement the Personal Identity Verification (PIV) standard defined in  Federal Information Processing Standard (FIPS) 201 , which was origina...

  In addition to sending codes via SMS some service providers may send codes via other contact mechanisms, such as email, phone, or various chat applications. These mechanisms are very similar to SMS: they are mechanisms to deliver a code to a user. Usually the code is 6 digits.  The security of these mechanisms varies and depends on a large variety of factors that are largely outside the scope of the mechanism itself. Email, and some of these other ones, are very often used as a possession proof for password reset as well. The assumption is that if you have access to the email account you must be the customer who registered an account with that email address. However, this creates a security dependency. The security of the account you are resetting the password for depends completely on the security of the email account. Sadly, most people do not protect their email account to the extent that would be prudent if you are going to make the security of your retirement account de...

  The factors we have discussed so far, SMS and OTP have some interesting disadvantages. SMS is not delivered securely and can be intercepted. OTP requires a certain amount of cognitive load that could hamper adoption. Study after study has shown that ease of use is a crucial factor in adoption. A study by Weir et al in 2009 showed that users deliberately chose a less secure solution that was considered more usable). (“User Perceptions of Security, Convenience and Usability for Ebanking Authentication Tokens”,   Computers & Security , February 2009,   https://www.researchgate.net/publication/222818183_User_perceptions_of_security_convenience_and_usability_for_ebanking_authentication_tokens ) In a push (pun intended) to make MFA consumable and easier to use, a relatively novel concept was invented: push notifications or approval mode. In this system, after the user enters a username and password, or in some implementations, just a username, they receive a prompt to app...

  Like a whole lot of other people, to help prevent the spread of COVID-19, you may be either working from home or helping ensure others can, or both. Like a lot of people you may also be searching for information and resources to help cope.  Unfortunately criminals realize that we are doing this. Whether they are doing it to advance the interests of a nation state or to make money, they are taking advantage of the situation, the fear, and confusion caused by the pandemic. I thought it might make sense to put together some pointers for how to protect the digital lives of you, your loved ones, and those whom you are protecting. Phishing As with every other crisis, criminals are using the pandemic to try to entice people into clicking on phishing emails. They use all the same tricks they always use. They try sending email from anyone who may be trusted, like the Department of Health and Human Services, or Johns Hopkins University, which is tracking the outbreak.  Legitimate...

  TOTP was designed to address some of the disadvantages of HOTP. Like HOTP it was standardized using an RFC (6238) and was adopted as an open standard by the Initiative for Open Authentication (OATH). You will sometimes hear TOTP referred to as OATH-TOTP, meaning it is using the standard OATH implementation (not to be confused with OAuth, which is not the same thing).  Where HOTP derives the uniqueness of the code from the seed and the counter, TOTP derives uniqueness from the seed and the current time. This means TOTP relies on time synchronization and clocks. In a stand-alone hardware token without a network connection to receive time the clock sync is provided when the token is initialized. Hardware tokens have their own internal clocks, powered by a battery. Some hardware tokens, like those using a USB, Bluetooth or NFC form factor can receive clock sync from a computer when they need it, meaning they do not need batteries and internal clocks. NFC clock sync only works wh...

  One-time passwords are very similar to SMS codes, with one major exception: they are generated by or with the user and verified by the server, not sent to you in an SMS message. Most people think of these as generated by an application, and speak of them colloquially as “Google Authenticator Codes” because that’s one of the primary apps that generate them. However, there are many many more implementations and there are two primary algorithms. In this post I will describe HMAC-Based One-Time Passwords (HOTP). Next time I will describe Time-based One-Time Passwords (TOTP).  HOTP Hashed Message Authentication Code (HMAC) Based One-Time Passwords, or HOTP, is an open IETF standard (RFC 4226) for generating one-time passwords based on a cryptographically computed hash. Hashes are extraordinarily useful, and this standard simply uses them for generating the same value in two places. HOTP generation is based on several parameters: A hashing algorithm - often SHA-1 but it could be a...