Security Token

Warning: mkdir() [function.mkdir]: Permission denied in /home/webs/affiliatelib2/CacheManager.php on line 12

Warning: mkdir() [function.mkdir]: No such file or directory in /home/webs/affiliatelib2/CacheManager.php on line 12

Warning: fopen(/home/templatecore2cache//*cluesnet.com/8c/8ce441f27df21f51091adf70a5a6ce6836f95be5.tc2cache) [function.fopen]: failed to open stream: No such file or directory in /home/webs/affiliatelib2/CacheManager.php on line 130

Warning: fwrite(): supplied argument is not a valid stream resource in /home/webs/affiliatelib2/CacheManager.php on line 131

Warning: fclose(): supplied argument is not a valid stream resource in /home/webs/affiliatelib2/CacheManager.php on line 132

. tokens from Aladdin Knowledge Systems from Entrust

A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens.

Hardware tokens are typically small enough to be carried in a pocket or purse and often are designed to attach to the user's keychain. Some may store cryptographic keys, such as a digital signature, or biometric data, such as a fingerprint. Some designs feature tamper resistance packaging, other may include small keypads to allow entry of a Personal identification number.

Embodiments Some tokens are very simple, others are complex and include multiple authentication methods. There are many vendors, each using its own approach, and many of these are patented.

Digital signatures For a digital signature to be trusted as a regular hand-written signature, the digital signature must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof for the user’s identity.

For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as digital signatures according to some national laws. Tokens with no on-board keyboard or another user interface cannot be used in some Digital signature scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.

Single sign-on software Some types of Single sign-on (SSO) solutions, like enterprise single sign-on, use the token to store software that allows for seamless authentication and Form filler. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned.

BestBuy Deluxe Ltd's BesToken BesToken is USB based strong two-factor authentication device integrated with smart card and can be used for identity management and access control. It supports for Single sign-on, digital signature, network logon and PKI applications.

One-time passwords A one-time password is a password that changes after each Logon, or changes after a set time interval.

Mathematical-algorithm-based one-time passwords Another type of one-time password uses a complex mathematical algorithm, such as a cryptographic hash, to generate a new password based on the previous one, starting from a secret shared key. The open source Initiative For Open Authentication algorithm is standardized, other algorithms are covered by U.S. patents.

ID CONTROL ID Control offers easy, affordable and strong One-time password (OTP) authentication by turning your mobile phone or device (e.g. PDA, Blackberry) into an OTP based authentication token with HandyID.

VeriSign VeriSign Unified Authentication uses the OATH standard. VeriSign Unified Authentication Original equipment manufacturer is Aladdin Knowledge Systems.

Deepnet Security Deepnet Security's Deepnet Unified Authentication Platform product.

Aladdin Knowledge Systems’ eToken NG-OTP The Aladdin Knowledge Systems' eToken NG-OTP is a hybrid USB and one-time password token. It combines the functionality of smart card based authentication tokens with one-time password user authentication technology in detached mode.

Time-synchronized one-time passwords A time-synchronized one-time password change constantly at a set time interval, e.g. once per minute. To do this some sort of synchronization must exist between the Client (Computing)'s token and the authentication Server (computing). For disconnected tokens this time-synchronization is done before the token is distributed to the Client (Computing), other token types do the synchronization when the token is inserted into an input device.

Booleansoft Booleansoft tokens synchronize with the authentication server when inserted into an input device like a Universal Serial Bus input device or a CD-ROM drive. United States patent law Patent pending technology.

Entrust IdentityGuard Mini Token Entrust offers two variants of their OTP token — Entrust IdentityGuard Mini Token OE and Entrust IdentityGuard Mini Token AT. The Entrust IdentityGuard Mini Token OE provides event-based, one-time passwords using the standards-based HOTP algorithm endorsedby the Initiative for Open Authentication (OATH), providing compatibility with third-party software. The Entrust IdentityGuard Mini Token AT offers time- and event-synchronous, one-time passwords based on the stronger DES/3DES algorithm. Priced at $5 per token, the Entrust IdentityGuard Mini Token provides a dramatic contrast to the traditional high-cost offerings of the past.

RSA Security's SecurID RSA Security's SecurID displays a number which changes at a set interval. The Client (Computing) enters the one-time password along with a personal identification number when authentication. US patented technology.

Vasco's DigiPass VASCO's DigiPass series has a small keyboard where the user can enter a personal identification number, in addition it generates a new one-time password every 36 seconds. US patent: 4599489 and 4609777

KerPass UST KerPass provide time synchronous OATH one time passwords on mobile phone. A new password is generated every 30 seconds. KerPass uses an exclusive server side password validation technology that makes possible using a KerPass password in the context of zero knowledge password proof algorithm like SPEKE or SRP. This combination renders password authentication insensitive to man in the middle attacks.

Secure Computing's Safeword Secure Computing's Safeword is a hardware device that will display a passcode when pressing a button on the device. A barcode and serial number on the back of the device are used by administrators to synchronize the devices with the authentication system. They Safeword system is event-based rather than time-based. Each press of the button will display a new passcode and once a passcode is used for authentication, combined with the user's pin number, it and all the passcodes generated before it can not be reused again.

Token model types Some tokens types are disconnected; thus they don't need an input device, on the other hand, some token types need input devices. For the purchaser of a security token solution there may be hidden costs in expensive input devices.

Bluetooth Bluetooth tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (10 meters). If the Bluetooth is not available, the token must be inserted into a Universal Serial Bus input device to function.

Cellular phones A new category of T-FA tools allows users to utilize their mobile phone as a security token. A Java application installed on the mobile phone performs the functions normally provided by a dedicated token. Other methods of using the cell phone include using SMS messaging, instigating an interactive telephone call, or using standard Internet protocols such as HTTP or HTTPS.

Such a method can simplify deployment, reduce logistical costs and remove the need for separate token devices. In the case of SMS options, there are trade-offs: users may incur fees for text messages or for WAP/HTTP services.

Disconnected tokens Disconnected tokens are by far the most common today, VASCO's Digipass and RSA Security's SecurID are some examples. The advantage with disconnected tokens is that you don't need any input devices. On the downside, they have a relatively short estimated battery lifetime, usually only 3-5 years, which is low compared to Universal Serial Bus tokens which may last 10 years. Some tokens, e.g. ActivIdentity's, allow the batteries to be changed after they expire, thus reducing the cost of purchasing new tokens.

PC cards The PC card tokens are made to only work with laptops. Type II PC Cards are preferred as a token as they are half as thick as Type III.

Mykotronx Corp. Mykotronx Corp. makes the Fortezza card token for laptops with a PC card.

Smart cards Smart cards are relatively inexpensive compared to other tokens. There are also significant wear-and-tear on the smart cards themselves because of the friction when inserting the card, potentially shortening the lifespan of the smart card token.

Universal Serial Bus (USB) The Universal Serial Bus has become a standard in computers today, USB tokens are therefore often a cheaper alternative than other tokens needing a special input device.

Booleansoft Booleansoft has several types of Universal Serial Bus tokens, some including fingerprint biometrics. Each Client (Computing) that requires secure authentication is supplied with a personal security token. When the USB token is inserted into an IBM PC compatible's USB port, a software program stored on the token (called the 'token software') is then automatically started. The token software lets the user generate new one-time passwords and digital signatures to access a remote resource for authentication purposes.

VeriSign VeriSign's Unified Authentication provides a single, integrated platform for provisioning and managing all types of two-factor authentication credentials.

Smart Card Based USB tokens Smart-card-based USB tokens which contain a smart card chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the operating system's point of view such a token is a USB-connected smart card reader with one non-removable smart card present.

Other types Some use a special purpose interface (e.g. the KSD-64 deployed by the United States National Security Agency). Tokens can also be used as a photo ID card. Cell phones and Personal digital assistant can also serve as security tokens with proper programming. Booleansoft provides CD tokens, some the size of a standard credit cards.

Related technologies Enterprise single sign-on Some Enterprise single sign-on (E-SSO) solutions uses security tokens.

Two-factor authentication (T-FA) Security tokens provide the "what you have" component in two-factor authentication and multi-factor authentication solutions.

GrIDsure GrIDsure technology is a means of generating One Time Password without using an additional hardware device. As additional security is required, devices such as mobile phones can be used to generate "super-tokens" which do not give away the pass-codes if stolen. Demonstration available here

Usage The simplest security tokens do not need any connection to a computer. The Client (Computing) enters the number displayed on his or her token, usually along with a Personal identification number, when asked to do so. Others connect to the computer using wireless techniques, such as Bluetooth. Still others plug into the computer. For these one must:

Connect the token to the computer using an appropriate input device

Enter the Personal identification number if necessary

Depending on type of the token the computer Operating system will now either

read the key from token and perform cryptographic operation on it or
ask the token's firmware to perform this operation

A related application is the hardware dongle required by some computer programs to prove ownership of the software. The dongle is placed in an input device and the software accesses the I/O device in question to Authorization the use of the software in question.

See also

Software token
Two-factor authentication
Initiative For Open Authentication

References

PKCS -- The RSA standards PKCS11 and PKCS #15 define software interfaces.

Specification for Integrated Circuit(s) Cards Interface Devices

External links

OATH Initiative for open authentication
Token Authentication Article from AuthenticationWorld

da:Security Token Servicees:Token de seguridadja:セキュリティトークンnl:Token (identificatie)pl:Tokenpt:Token (chave eletrônica)sk:Token