Internet based communications have become ubiquitous in the modern world. With this success, however, have come major security issues. Problems of identity theft, man in the middle attacks, spooking (spying), phishing (attempting to acquire sensitive information by fraud), and other types of computer crime are rampant, and much effort has been devoted to devising technological countermeasures to reduce the severity of these issues.
One large problem is eavesdropping, message alteration, or generation of false messages. This often is due to “man in the middle” attacks. In these attacks, the attacker intercepts data packets (usually TCP/IP packets) as they are transmitted between a user's computer and a remote internet server. Alternatively the attacker attempts to impersonate the remote internet server, and trick the user into divulging sensitive information (phishing).
To cope with this type of attack, a number of standard secure cryptographic protocols, such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL) have been developed. These protocols work by a method in which the user's browser and the remote server first identify themselves (the user usually using a password, and the remote server by using an authenticated certificate that is trusted). The user and server negotiate a cryptographic protocol, and thereafter exchange data using the negotiated cryptographic protocol. SSL technology is now a common part of standard internet browsers, such as Internet Explorer 7.0, Firefox 2.0, Safari, Opera, and others.
One drawback of standard SSL and TSL methods, however, is that while the remote server is carefully authenticated, the user is not as carefully authenticated. Most commonly, users are authenticated only by various types of “secret” user passwords that are assumed to be known only by the user.
Unfortunately, modern attackers have become very sophisticated at stealing these passwords. Methods such as Trojans, key loggers, etc. can be set to quickly and efficiently detect passwords, and pass them to attackers in an almost real-time basis. Once an attacker acquires such passwords, the attacker can then impersonate the user, gain access to the remote website, and (ironically aided by TSL and SSL) download sensitive data, upload false data, gain access to bank and credit accounts, and in general cause a great deal of damage. Even user fingerprints can be lifted off of a surface that the user touches, duplicated, and then used to trick fingerprint sensors.
To prevent this type of stolen password attack, companies, such as Authenex Corporation, of Hayward Calif., have introduced a second level of security, which additionally requires that the user also identify himself or herself by an item that the user possesses (“thing” protection). The concept is not unlike a bank requiring both a bank card (thing) and a user PIN number to access an ATM account. By requiring that the user both know a secret and possess a specific item, the task of an attacker is made substantially more difficult.
Authenex produces a number of convenient miniature electronic “token” devices that plug into computers, and provide electronic secrets and security keys (tokens) that ensure data security. These devices are about the size of a standard Universal Serial Bus (USB) memory dongle, or car key, and in fact Authenex token devices often plug into a computer's USB port. Because these devices are small, they can be put on a keychain for convenient handling.
The Authenex A-Key 3200, for example, is a small device that provides public key (PKI) encryption by providing on-board 1024/2048-bit RSA key pair generation and X.509 digital certificates. The A-Key also performs symmetric key cryptography using AES 128-bit and 256 bit, DES, 3xDES, DES-X, MD5, RC2 functions, as well as SHA-1 secure hashing algorithms. The A-Key exchanges secret security keys by plugging into a computer via a USB port, and the key allows users, assuming the computer itself is secure; to insure that any hostile attacker that intercepts the A-Key encrypted data will not be able to decrypt the data.
Authenex also produces other security devices, such as the A-Key 4000 token, which allows users to store up to 1 gigabyte of data in a password encrypted manner using a second key sized USB token or dongle. A number of other A-Key USB security devices are also in development. These devices are described in US patent application disclosures 2003/0081774, 2004/0181673, 2004/0064740, 2004/0064706, 2005/0015588, 2005/0033995, 2006/0004974, 2006/0075486, and U.S. Pat. Nos. 7,191,344 and 7,231,526, and the contents of these disclosures are incorporated herein by reference.
Although effective, such physical security devices must be carried by the user. Like all physical objects, such physical security devices can be lost, misplaced, or stolen. Thus further improvements in providing convenient yet high security access to data, computers, and networks is desirable.