Difference between revisions of "Universal Serial Bus (USB)"

From MgmtWiki
Jump to: navigation, search
(Context)
(Solutions)
 
(38 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
==Context==
 
==Context==
 
*Legacy serial ports on computers were slow speed and specific to a particular function, like: keyboard, mouse, audio in, audio out, serial RS232 port or printer port.
 
*Legacy serial ports on computers were slow speed and specific to a particular function, like: keyboard, mouse, audio in, audio out, serial RS232 port or printer port.
*Now when a device is connected to a computer USB port is must identify itself so that the computer can recognize that device and ensure it has the correct device driver installed.
+
*Now when a device is connected to a computer USB port is must identify itself so that the computer can recognize that device and ensure it can locate the correct software drivers.
*The smart card had a similar serial port with similar functionality. Since there were multiple card types, the card will "Answer to Reset (ATR)" with a code identifying it.<ref>eft lab, ''Smart Cards - Answer To Reset (ATR).'' https://www.eftlab.co.uk/index.php/site-map/our-articles/169-demystifying-atr-answer-to-reset</ref>
+
*The smart card had a similar serial port with similar functionality. Since there were multiple card types, the card will "Answer to Reset (ATR)" with a locator code to identify it.<ref>eft lab, ''Smart Cards - Answer To Reset (ATR).'' https://www.eftlab.co.uk/index.php/site-map/our-articles/169-demystifying-atr-answer-to-reset</ref>
*New [[Security Token]]s for [[User]] [[Identifier]]s and [[Attribute]]s are built to connect directly to the USB port and provide similar locator codes.
+
*New hardware [[Security Token]]s for [[User]] [[Identifier]]s and [[Attribute]]s are built to connect directly to the USB port and provide similar locator codes.
  
 
==Problems==
 
==Problems==
Line 12: Line 12:
 
* Smart cards have worked well for controlled environments like: governments, colleges and corporations. Consumers have never been willing to tolerate the complexity of the card and the [[X.509 Certificate]] they needed.
 
* Smart cards have worked well for controlled environments like: governments, colleges and corporations. Consumers have never been willing to tolerate the complexity of the card and the [[X.509 Certificate]] they needed.
 
* The first attempt was to add a card reader to convert from [[Smart Card]] format to USB, but the added hardware was enough to impede consumer adoption.
 
* The first attempt was to add a card reader to convert from [[Smart Card]] format to USB, but the added hardware was enough to impede consumer adoption.
* Even if the USB device worked, it was not recognized by the [[User Agent]] (browser) from companies like Microsoft, Apple and Google.
+
* Even if those early USB devices worked as designed, they were not recognized by the [[User Agent]] (browser) from companies like Microsoft, Apple and Google.
  
 
==Solutions==
 
==Solutions==
* The first solution was a browser add-on from Google that would allow security keys that were plugged into the computer to be queried by the browser and perform a function just like "Answer to Reset".
+
* Early, unsuccessful USB solutions put the [[User]] [[Identity]] into a [[Smart Card]] chip embedded in a USB fob using the existing [[X.509 Certificate]] and [[Public Key Infrastructure]].
* A similar solution for [[Smart Phone]]s include NFC and Bluetooth, explained elsewhere, none of which provide a secure physical connection.
+
* The current solution started as a browser add-on from Google that would allow security keys that were plugged into the computer to be queried by the browser and perform a function just like "Answer to Reset".
* An alternate solution for devices with [[Trusted Execution Environment]]s is to place the [[User]] [[Identifier]] and [[Attribute]]s into a well secured location within the device itself.
+
* A similar solution for [[Smart Phone]]s include [[NFC]] and [[Bluetooth]], explained elsewhere, none of which provide a secure physical connection.
 +
* An alternate solution for devices with [[Trusted Execution Environment]]s is to place the [[User]] [[Identifier]] and [[Attribute]]s into a well-secured location within the device itself.
 +
===USB Security Tokens===
 +
This section will consider one [[FIDO U2F]] [[Security Token]] in particular, although many other examples exist with the publication of the [[Web Authentication]] spec. For USB implementations the U2F Security Token uses the HID (Human Interface Device Protocol) as that is implemented by all computer that have USB port, which means that the appropriate low level USB driver software is already installed on all of those computers.
 +
 
 +
A unique Usage Page is defined for the FIDO alliance and under this realm, a U2FHID Usage is defined as well. During U2FHID device discovery, all HID devices present in the system are examined and devices that match this usage pages and usage are then considered to be U2FHID devices.
 +
*Acquire a Yubico Touch U2F [[Security Token]] and attach it to USB port on Windows.
 +
*USB driver receives "USB Device Added" with Locator Codes: idVendor= 0x1050 and idProduct = 0x0120
 +
 
 +
===Selected details about USB===
 +
*The Microsoft Universal Serial Bus (USB) page has general information: https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/
 +
*A good description of the HUMAN INTERFACE DEVICE (HID) is provided by Silicon Labs: https://www.silabs.com/documents/public/application-notes/AN249.pdf
 +
*USB Event Tracing for Windows: https://msdn.microsoft.com/en-us/windows/jj151577(v=vs.80)
 +
*How to capture a USB event trace with Logman: https://msdn.microsoft.com/en-us/windows/jj151573(v=vs.80)
 +
*Source of reference code for FIDO U2F created by Google (u2f-api-1.1.js) which is installed on pretty much all U2F supporting [[Web Site]]s as is: https://github.com/google/u2f-ref-code
 +
*FIDO specs for using USB HID https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-hid-protocol-v1.2-ps-20170411.html
 +
* Linux-USB list of all vendor IDs (yubico=1050): http://www.linux-usb.org/usb.ids
 +
 
 +
===Selected sources of USB [[Late Binding Token]]s===
 +
*Titan: https://9to5google.com/2018/07/26/hands-on-google-titan-security-key-2fa/
  
 
==References==
 
==References==
 +
 +
[[Category:Identity]]
 +
[[Category:Assurance]]

Latest revision as of 09:19, 12 April 2019

Full Title or Meme

Nearly all computers and other portable devices now support a single Universal Serial Bus (USB) for both data and power.

Context

  • Legacy serial ports on computers were slow speed and specific to a particular function, like: keyboard, mouse, audio in, audio out, serial RS232 port or printer port.
  • Now when a device is connected to a computer USB port is must identify itself so that the computer can recognize that device and ensure it can locate the correct software drivers.
  • The smart card had a similar serial port with similar functionality. Since there were multiple card types, the card will "Answer to Reset (ATR)" with a locator code to identify it.[1]
  • New hardware Security Tokens for User Identifiers and Attributes are built to connect directly to the USB port and provide similar locator codes.

Problems

  • Since the first Smart Card was issued, portable identification devices have needed to issue Locator Codes of some sort which allow the attachment to acquire a software driver to support the card.
  • Smart cards have worked well for controlled environments like: governments, colleges and corporations. Consumers have never been willing to tolerate the complexity of the card and the X.509 Certificate they needed.
  • The first attempt was to add a card reader to convert from Smart Card format to USB, but the added hardware was enough to impede consumer adoption.
  • Even if those early USB devices worked as designed, they were not recognized by the User Agent (browser) from companies like Microsoft, Apple and Google.

Solutions

USB Security Tokens

This section will consider one FIDO U2F Security Token in particular, although many other examples exist with the publication of the Web Authentication spec. For USB implementations the U2F Security Token uses the HID (Human Interface Device Protocol) as that is implemented by all computer that have USB port, which means that the appropriate low level USB driver software is already installed on all of those computers.

A unique Usage Page is defined for the FIDO alliance and under this realm, a U2FHID Usage is defined as well. During U2FHID device discovery, all HID devices present in the system are examined and devices that match this usage pages and usage are then considered to be U2FHID devices.

  • Acquire a Yubico Touch U2F Security Token and attach it to USB port on Windows.
  • USB driver receives "USB Device Added" with Locator Codes: idVendor= 0x1050 and idProduct = 0x0120

Selected details about USB

Selected sources of USB Late Binding Tokens

References

  1. eft lab, Smart Cards - Answer To Reset (ATR). https://www.eftlab.co.uk/index.php/site-map/our-articles/169-demystifying-atr-answer-to-reset