Login/Register
How Do Hardware Token Devices work? [closed]
Asked Answered
Solved hashcryptographyhmactwo-factor-authenticationone-time-password
R

1

39

Recently, my bank sent me this tiny device that generates a unique code that must be used when performing online transactions, all the device does is generate this unique code when I press a particular white button and it doesn't look like it connects to a remote server or anything of such.

I did some research and ended up in cryptography with something called the Hash function but I still don't get it.

My Questions

  • How does my bank's servers know the code generated by this device is correct?
  • Since it just generates five random digits every 30 seconds, why won't the server authenticate a random number I have also decided to use?
Reptile answered 11/8, 2014 at 17:26 Comment(6)
If it's time based the obvious choice is TOTP, if it generates on each button press the obvious choice is HOTP. (They're essentially the same thing, the former using the time, the latter a counter)Bookrest
Actually, it generates the digits on a time-based interval, if I press the button for it to generate the digits, it generates the digits and after about 25 seconds, I press it again, the digits change not when I press it again immediately after I'd just pressed it.Reptile
This question appears to be off-topic because it is not about programming.Gales
It may also interest you that some two-factor authentication schemes actually receive a code from the server, usually via a cell phone over SMS. The idea is that if you're in possession of your phone, you're more likely to be you than not. This can make use of any number of encryption schemes to ensure that the transmissions are not intercepted.Brython
I'm voting to close this question as off-topic because it's not a programming question. Try Information Security instead.Ecbolic
I’m voting to close this question because it's not a programming question.Vanhouten
B
54

This has very little to do with hash functions. A cryptographic hash function may be part of the implementation, but it's not required.

Actually, it generates the digits on a time-based interval, if I press the button for it to generate the digits, it generates the digits and after about 25 seconds, and I press it again, the digits change not when I press it again immediately after I'd just pressed it.

There's your hint. It's a time based pseudo-random or cryptographic algorithm. Based on the time, there is a code. The dongle and the server know – or rather, can compute – the code for every window. This is a shared secret - the dongle does not connect to a remote server. The server will probably allow one or two of the most recent secret keys, to prevent the situation where you enter a key that has just expired while the transmission was en route.

(Although my recent experience with Amazon Web Service multi-factor authentication has definitely resulted in login failures within 5 seconds of a code being displayed to me. In other words, some vendors are very strict with their timing windows. As always, it's a trade-off between security and usability.)

The abbreviations CodesInChaos mention are Time-based One-Time Password (TOTP) and HMAC-based One-Time Password (HOTP), two algorithms commonly used in two-factor authentication.

Wikipedia has this to say about the RSA SecurID, a particular brand of two-factor-authentication dongle.

The RSA SecurID authentication mechanism consists of a "token" — either hardware (e.g. a USB dongle) or software (a soft token) — which is assigned to a computer user and which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded random key (known as the "seed"). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased.

I chose this article because it has a reasonable, physical description; the higher-level articles focus on the theoretical over the physical implementation.

The article also confirms that you need to keep the secrecy of the token, or someone else can impersonate your logins by knowing what the codes are as easily as you do.

The token hardware is designed to be tamper-resistant to deter reverse engineering. When software implementations of the same algorithm ("software tokens") appeared on the market, public code has been developed by the security community allowing a user to emulate RSA SecurID in software, but only if they have access to a current RSA SecurID code, and the original 64-bit RSA SecurID seed file introduced to the server.

However, since the verifying server has to have foreknowledge of the tokens, the two-factor secrets are vulnerable to attacks on the source as well. SecurID was the victim of a high-profile theft that targeted their own servers and eventually led to secondary incursions on their clients' servers as well.

Finally, there is more information available on the security.stackexchange sister-site under the multi-factor tag, and also on this site under the tag.

Brython answered 11/8, 2014 at 18:3 Comment(8)
I have a device from Rabobank, a bank in Netherland which displays all the information about my transaction before I approve. How is this enabled in the hardware device?Chiclayo
And you approve with a button push, not a code you type into their online transaction form? That would necessitate some form of 2-way communication on the device: wifi, bluetooth or cellular. Or maybe a lower-tech 2-way pager system. Do you have to charge this device or replace the batteries on it? @ChiclayoBrython
The comes with 2 AA batteries and I am using it for more than a year. So the procedure works as follows: For login, I insert the card, scan the QR code on the screen and type my password for authentication in the device. When I do a transaction, the system shows a QR code which I scan to get purchase info and authenticate. When I just say authenticate in the device, the system moves to the next screen stating the successful transaction (I don't type any code or scan anything. It is just a click in the device). I have tried this device from many countries and it works very reliably.Chiclayo
2 AA batteries sounds like it definitely has to be a pager. Pagers operate by radio signal: lower power, longer range and less bandwidth than cellular signal. I'm sure they have a very specific frequency modulation and encryption scheme, but your bank would be the one to ask for more details. They might be reluctant to disclose, but disclosure is the only way to know if they're actually securing your verifications.Brython
I googled about pager! I think this should be the only way they can communicate. But if there is a low-bandwidth comunication link all over the world with very less power consumption why it is not very popular??Chiclayo
It was very popular for a long time. But then cellular service got 'good enough', many people replaced their number-only pagers with voice-only cell phones, and then SMS took off in popularity in 2000. Text based 2-way paging doesn't really warrant carrying a 2nd device. It would be interesting to have a cell phone that was also hooked into a 2-way pager service, similar to how many cell phones were capable of both GSM and CDMA network connections when the techs were new and in more competition.Brython
But if I have a virtual MFA device e.g. Authy on my phone, how does Authy know to generate different tokens for the different accounts/websites/etc.? I guess the server and the MFA device or dongle exchange initially some piece of information... E.g. I scanned a barcode with Authy. Otherwise, if the generated tokens are [only function of the current time] they would be identical for all accounts you want to protect with MFA auth. So now my question is: what if I have a physical MFA device, how would it exchange some initial info with the server?Adulterous
You've got it, essentially. Each QR code that you scan is software token. Authy's own docs link out to this handbook article on Common Types of 2FA. A hardware token comes pre-loaded with the information in the QR code. When you set up a hardware token 2FA, you aren't taking new information from the provider; you instead tell the provider 'This is my hardware token', and they look up their copy of the secret and associate it with your account.Brython

© 2022 - 2024 — McMap. All rights reserved.