Difference between revisions of "Universal Serial Bus (USB)"
From MgmtWiki
(→Context) |
(→Solutions) |
||
| (34 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
*Now when a device is connected to a computer USB port is must identify itself so that the computer can recognize that device and ensure it can locate the correct software drivers. | *Now when a device is connected to a computer USB port is must identify itself so that the computer can recognize that device and ensure it can locate the correct software drivers. | ||
*The smart card had a similar serial port with similar functionality. Since there were multiple card types, the card will "Answer to Reset (ATR)" with a locator code to identify it.<ref>eft lab, ''Smart Cards - Answer To Reset (ATR).'' https://www.eftlab.co.uk/index.php/site-map/our-articles/169-demystifying-atr-answer-to-reset</ref> | *The smart card had a similar serial port with similar functionality. Since there were multiple card types, the card will "Answer to Reset (ATR)" with a locator code to identify it.<ref>eft lab, ''Smart Cards - Answer To Reset (ATR).'' https://www.eftlab.co.uk/index.php/site-map/our-articles/169-demystifying-atr-answer-to-reset</ref> | ||
| − | *New [[Security Token]]s for [[User]] [[Identifier]]s and [[Attribute]]s are built to connect directly to the USB port and provide similar locator codes. | + | *New hardware [[Security Token]]s for [[User]] [[Identifier]]s and [[Attribute]]s are built to connect directly to the USB port and provide similar locator codes. |
==Problems== | ==Problems== | ||
| Line 12: | Line 12: | ||
* Smart cards have worked well for controlled environments like: governments, colleges and corporations. Consumers have never been willing to tolerate the complexity of the card and the [[X.509 Certificate]] they needed. | * Smart cards have worked well for controlled environments like: governments, colleges and corporations. Consumers have never been willing to tolerate the complexity of the card and the [[X.509 Certificate]] they needed. | ||
* The first attempt was to add a card reader to convert from [[Smart Card]] format to USB, but the added hardware was enough to impede consumer adoption. | * The first attempt was to add a card reader to convert from [[Smart Card]] format to USB, but the added hardware was enough to impede consumer adoption. | ||
| − | * Even if | + | * Even if those early USB devices worked as designed, they were not recognized by the [[User Agent]] (browser) from companies like Microsoft, Apple and Google. |
==Solutions== | ==Solutions== | ||
| − | * The | + | * Early, unsuccessful USB solutions put the [[User]] [[Identity]] into a [[Smart Card]] chip embedded in a USB fob using the existing [[X.509 Certificate]] and [[Public Key Infrastructure]]. |
| − | * A similar solution for [[Smart Phone]]s include NFC and Bluetooth, explained elsewhere, none of which provide a secure physical connection. | + | * The current solution started as a browser add-on from Google that would allow security keys that were plugged into the computer to be queried by the browser and perform a function just like "Answer to Reset". |
| + | * A similar solution for [[Smart Phone]]s include [[NFC]] and [[Bluetooth]], explained elsewhere, none of which provide a secure physical connection. | ||
* An alternate solution for devices with [[Trusted Execution Environment]]s is to place the [[User]] [[Identifier]] and [[Attribute]]s into a well-secured location within the device itself. | * An alternate solution for devices with [[Trusted Execution Environment]]s is to place the [[User]] [[Identifier]] and [[Attribute]]s into a well-secured location within the device itself. | ||
===USB Security Tokens=== | ===USB Security Tokens=== | ||
| + | This section will consider one [[FIDO U2F]] [[Security Token]] in particular, although many other examples exist with the publication of the [[Web Authentication]] spec. For USB implementations the U2F Security Token uses the HID (Human Interface Device Protocol) as that is implemented by all computer that have USB port, which means that the appropriate low level USB driver software is already installed on all of those computers. | ||
| + | |||
| + | A unique Usage Page is defined for the FIDO alliance and under this realm, a U2FHID Usage is defined as well. During U2FHID device discovery, all HID devices present in the system are examined and devices that match this usage pages and usage are then considered to be U2FHID devices. | ||
| + | *Acquire a Yubico Touch U2F [[Security Token]] and attach it to USB port on Windows. | ||
| + | *USB driver receives "USB Device Added" with Locator Codes: idVendor= 0x1050 and idProduct = 0x0120 | ||
| + | |||
| + | ===Selected details about USB=== | ||
| + | *The Microsoft Universal Serial Bus (USB) page has general information: https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/ | ||
| + | *A good description of the HUMAN INTERFACE DEVICE (HID) is provided by Silicon Labs: https://www.silabs.com/documents/public/application-notes/AN249.pdf | ||
| + | *USB Event Tracing for Windows: https://msdn.microsoft.com/en-us/windows/jj151577(v=vs.80) | ||
| + | *How to capture a USB event trace with Logman: https://msdn.microsoft.com/en-us/windows/jj151573(v=vs.80) | ||
| + | *Source of reference code for FIDO U2F created by Google (u2f-api-1.1.js) which is installed on pretty much all U2F supporting [[Web Site]]s as is: https://github.com/google/u2f-ref-code | ||
| + | *FIDO specs for using USB HID https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-hid-protocol-v1.2-ps-20170411.html | ||
| + | * Linux-USB list of all vendor IDs (yubico=1050): http://www.linux-usb.org/usb.ids | ||
| + | |||
| + | ===Selected sources of USB [[Late Binding Token]]s=== | ||
| + | *Titan: https://9to5google.com/2018/07/26/hands-on-google-titan-security-key-2fa/ | ||
==References== | ==References== | ||
| + | |||
| + | [[Category:Identity]] | ||
| + | [[Category:Assurance]] | ||
Latest revision as of 10:19, 12 April 2019
Contents
Full Title or Meme
Nearly all computers and other portable devices now support a single Universal Serial Bus (USB) for both data and power.
Context
- Legacy serial ports on computers were slow speed and specific to a particular function, like: keyboard, mouse, audio in, audio out, serial RS232 port or printer port.
- Now when a device is connected to a computer USB port is must identify itself so that the computer can recognize that device and ensure it can locate the correct software drivers.
- The smart card had a similar serial port with similar functionality. Since there were multiple card types, the card will "Answer to Reset (ATR)" with a locator code to identify it.[1]
- New hardware Security Tokens for User Identifiers and Attributes are built to connect directly to the USB port and provide similar locator codes.
Problems
- Since the first Smart Card was issued, portable identification devices have needed to issue Locator Codes of some sort which allow the attachment to acquire a software driver to support the card.
- Smart cards have worked well for controlled environments like: governments, colleges and corporations. Consumers have never been willing to tolerate the complexity of the card and the X.509 Certificate they needed.
- The first attempt was to add a card reader to convert from Smart Card format to USB, but the added hardware was enough to impede consumer adoption.
- Even if those early USB devices worked as designed, they were not recognized by the User Agent (browser) from companies like Microsoft, Apple and Google.
Solutions
- Early, unsuccessful USB solutions put the User Identity into a Smart Card chip embedded in a USB fob using the existing X.509 Certificate and Public Key Infrastructure.
- The current solution started as a browser add-on from Google that would allow security keys that were plugged into the computer to be queried by the browser and perform a function just like "Answer to Reset".
- A similar solution for Smart Phones include NFC and Bluetooth, explained elsewhere, none of which provide a secure physical connection.
- An alternate solution for devices with Trusted Execution Environments is to place the User Identifier and Attributes into a well-secured location within the device itself.
USB Security Tokens
This section will consider one FIDO U2F Security Token in particular, although many other examples exist with the publication of the Web Authentication spec. For USB implementations the U2F Security Token uses the HID (Human Interface Device Protocol) as that is implemented by all computer that have USB port, which means that the appropriate low level USB driver software is already installed on all of those computers.
A unique Usage Page is defined for the FIDO alliance and under this realm, a U2FHID Usage is defined as well. During U2FHID device discovery, all HID devices present in the system are examined and devices that match this usage pages and usage are then considered to be U2FHID devices.
- Acquire a Yubico Touch U2F Security Token and attach it to USB port on Windows.
- USB driver receives "USB Device Added" with Locator Codes: idVendor= 0x1050 and idProduct = 0x0120
Selected details about USB
- The Microsoft Universal Serial Bus (USB) page has general information: https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/
- A good description of the HUMAN INTERFACE DEVICE (HID) is provided by Silicon Labs: https://www.silabs.com/documents/public/application-notes/AN249.pdf
- USB Event Tracing for Windows: https://msdn.microsoft.com/en-us/windows/jj151577(v=vs.80)
- How to capture a USB event trace with Logman: https://msdn.microsoft.com/en-us/windows/jj151573(v=vs.80)
- Source of reference code for FIDO U2F created by Google (u2f-api-1.1.js) which is installed on pretty much all U2F supporting Web Sites as is: https://github.com/google/u2f-ref-code
- FIDO specs for using USB HID https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-hid-protocol-v1.2-ps-20170411.html
- Linux-USB list of all vendor IDs (yubico=1050): http://www.linux-usb.org/usb.ids
Selected sources of USB Late Binding Tokens
References
- ↑ eft lab, Smart Cards - Answer To Reset (ATR). https://www.eftlab.co.uk/index.php/site-map/our-articles/169-demystifying-atr-answer-to-reset
