Tokens vs Passwords
The post is inspired by the recent topic of tokens, in which comments some confusion reigned. I concluded that many do not fully understand or even do not understand what a token is, what it is eaten with and what it is not. The desire to dot the i led to the following text. Next, it will be about USB-tokens that can be connected to a computer, give commands and receive the results of their implementation. Let's get started
Aspects of storing information on tokens
Just want to clarify that the token is not a flash drive. Of course, it can store a certain amount of information, but very limited, for example, 64 Kb. There are tokens that contain a few GB of flash memory. However, data is stored in this flash memory using the same technology as on a regular flash drive. Therefore, the function of storing large amounts of data can be regarded as secondary or incidental.
It can be said that the original function of tokens is not retrievable storage of key information. Obviously, there is little in common with a flash drive. What does “not recoverable” mean? This means that the key from the token never gets anywhere from the outside, for example, into the computer’s RAM. This strict policy can be relaxed to the point that the key can only be exported from the token to the RAM in encrypted form. There is also an option to export the key in clear text. But even if you choose the owner of the token, use only this option, the security level is still higher than storing the key on a regular flash drive. Above it is because the export of a key requires knowledge of a PIN code, and a PIN code is not required to copy a key from a flash drive. Many will say: you can also store the key on a flash drive and encrypt it with a password using, for example, RAR, and the token is not needed! But, in order to go through all the passwords to the archive, the intruder will have an arbitrarily large number of attempts, and the token after three consecutive attempts to enter the wrong PIN will be blocked. Conclusion: even with the most modest security settings, it is safer to keep the key on a token than on a flash drive. With the storage of keys all.
')
Other Token Functions
What else can do token? The token can independently:
1. Encrypt / decrypt in accordance with symmetric and asymmetric encryption algorithms
2. Generate encryption keys
3. Generate and verify EDS
4. Hash data, etc.
The token is a kind of “black box” during the implementation of cryptographic operations: the data is sent to the input, converted using the key and transmitted to the output. It can be compared with a microcomputer. Input and output of information for the token takes place via USB, there is a processor, operational and protected long-term memory.
Why do we need passwords?
For most of us, the ubiquitous use of passwords has become the standard of “de facto” or, if you will, the classics of modern times. We want to authenticate by mail or social networks - it is easy to encrypt the file with RAR, please. The main advantage of passwords is their ease of use. However, such issues as forgetfulness, transmission over unprotected channels (mother-in-law by phone), typing a password on a keyboard, predictability, etc. they question some important security operations.
If you compare the password with a cryptographic key, then the conclusions are very disappointing. In GOST 28147-89, the key length is 256 bits (32 bytes). When using a pseudo-random number generator, the key has good statistical properties. The password, which is, for example, a word from the dictionary, can be reduced to a pseudo-random number 16 bits long, which is 16 times shorter than the GOST key. This comparison in itself represents, by cryptographic concepts, a complete and unconditional fail!
My statement is as follows: tokens are able to solve all those tasks for which passwords are now used. All without exception. And to solve them more qualitatively and safely. I think it's time to replace the password schemes with full-fledged cryptographic protocols with keys. And in this case, there is no better assistant than a token. Not to be unfounded, we consider a couple of specific examples: authentication and data encryption.
Authentication
It makes no sense to dwell on the drawbacks of password authentication. We heard too many messages about hacked pages and mailboxes. And with the help of tokens on cryptography, it is realistic to implement “any one of a thousand” existing authentication protocols, for which neither interception with traffic modification, nor database theft from the server will produce results for the intruder. The user can forget the password, but can not forget the key, because the latter is securely stored on the token. Authenticating with a token is also convenient, as with a password.
Data encryption
Typically, the data is encrypted on a cryptographic key, and the key itself is encrypted on the password. The security of the entire scheme depends entirely on the password, which, again, is not always complicated and random, typed on the keyboard, can be forgotten, etc. In the case of a token, there are two possible solutions:
1. The key is stored on the token and does not leave it. This method is only suitable for small amounts of information, because decryption speed using a token is not large enough. The intruder can not remove the key.
2. The key is stored on the token, but when encrypted, it enters the RAM. This method is used, for example, to de-encrypt the entire volume. Removing the key is possible, but not entirely trivial. The password is much easier to steal.
Of course, you will have to pay for solutions using tokens, but fortunately, with rubles, and not with nerves and time. Despite the fact that tokens contain a full arsenal of cryptographic operations that are difficult enough for most users to understand, the use of the token itself is not difficult and intuitive. The token really does not require the user to have special specialized knowledge and a deep understanding of the mechanisms embedded in it. And it has the potential to replace passwords and everything connected with them.
Conclusion
I am sure that with the prevalence of solutions based on tokens, it will be possible to avoid various unpleasant incidents related to password theft, as well as to increase the level of security in a global sense.
I sincerely hope that readers have questions, because I have very little talked about tokens. I am pleased to answer them in the comments!
Aspects of storing information on tokens
Just want to clarify that the token is not a flash drive. Of course, it can store a certain amount of information, but very limited, for example, 64 Kb. There are tokens that contain a few GB of flash memory. However, data is stored in this flash memory using the same technology as on a regular flash drive. Therefore, the function of storing large amounts of data can be regarded as secondary or incidental.
It can be said that the original function of tokens is not retrievable storage of key information. Obviously, there is little in common with a flash drive. What does “not recoverable” mean? This means that the key from the token never gets anywhere from the outside, for example, into the computer’s RAM. This strict policy can be relaxed to the point that the key can only be exported from the token to the RAM in encrypted form. There is also an option to export the key in clear text. But even if you choose the owner of the token, use only this option, the security level is still higher than storing the key on a regular flash drive. Above it is because the export of a key requires knowledge of a PIN code, and a PIN code is not required to copy a key from a flash drive. Many will say: you can also store the key on a flash drive and encrypt it with a password using, for example, RAR, and the token is not needed! But, in order to go through all the passwords to the archive, the intruder will have an arbitrarily large number of attempts, and the token after three consecutive attempts to enter the wrong PIN will be blocked. Conclusion: even with the most modest security settings, it is safer to keep the key on a token than on a flash drive. With the storage of keys all.
')
Other Token Functions
What else can do token? The token can independently:
1. Encrypt / decrypt in accordance with symmetric and asymmetric encryption algorithms
2. Generate encryption keys
3. Generate and verify EDS
4. Hash data, etc.
The token is a kind of “black box” during the implementation of cryptographic operations: the data is sent to the input, converted using the key and transmitted to the output. It can be compared with a microcomputer. Input and output of information for the token takes place via USB, there is a processor, operational and protected long-term memory.
Why do we need passwords?
For most of us, the ubiquitous use of passwords has become the standard of “de facto” or, if you will, the classics of modern times. We want to authenticate by mail or social networks - it is easy to encrypt the file with RAR, please. The main advantage of passwords is their ease of use. However, such issues as forgetfulness, transmission over unprotected channels (mother-in-law by phone), typing a password on a keyboard, predictability, etc. they question some important security operations.
If you compare the password with a cryptographic key, then the conclusions are very disappointing. In GOST 28147-89, the key length is 256 bits (32 bytes). When using a pseudo-random number generator, the key has good statistical properties. The password, which is, for example, a word from the dictionary, can be reduced to a pseudo-random number 16 bits long, which is 16 times shorter than the GOST key. This comparison in itself represents, by cryptographic concepts, a complete and unconditional fail!
My statement is as follows: tokens are able to solve all those tasks for which passwords are now used. All without exception. And to solve them more qualitatively and safely. I think it's time to replace the password schemes with full-fledged cryptographic protocols with keys. And in this case, there is no better assistant than a token. Not to be unfounded, we consider a couple of specific examples: authentication and data encryption.
Authentication
It makes no sense to dwell on the drawbacks of password authentication. We heard too many messages about hacked pages and mailboxes. And with the help of tokens on cryptography, it is realistic to implement “any one of a thousand” existing authentication protocols, for which neither interception with traffic modification, nor database theft from the server will produce results for the intruder. The user can forget the password, but can not forget the key, because the latter is securely stored on the token. Authenticating with a token is also convenient, as with a password.
Data encryption
Typically, the data is encrypted on a cryptographic key, and the key itself is encrypted on the password. The security of the entire scheme depends entirely on the password, which, again, is not always complicated and random, typed on the keyboard, can be forgotten, etc. In the case of a token, there are two possible solutions:
1. The key is stored on the token and does not leave it. This method is only suitable for small amounts of information, because decryption speed using a token is not large enough. The intruder can not remove the key.
2. The key is stored on the token, but when encrypted, it enters the RAM. This method is used, for example, to de-encrypt the entire volume. Removing the key is possible, but not entirely trivial. The password is much easier to steal.
Of course, you will have to pay for solutions using tokens, but fortunately, with rubles, and not with nerves and time. Despite the fact that tokens contain a full arsenal of cryptographic operations that are difficult enough for most users to understand, the use of the token itself is not difficult and intuitive. The token really does not require the user to have special specialized knowledge and a deep understanding of the mechanisms embedded in it. And it has the potential to replace passwords and everything connected with them.
Conclusion
I am sure that with the prevalence of solutions based on tokens, it will be possible to avoid various unpleasant incidents related to password theft, as well as to increase the level of security in a global sense.
I sincerely hope that readers have questions, because I have very little talked about tokens. I am pleased to answer them in the comments!
Source: https://habr.com/ru/post/126828/
All Articles