Universal Serial Bus (USB)
Full Title or Meme
Nearly all computers and other portable devices now support a single Universal Serial Bus (USB) for both data and power.
- Legacy serial ports on computers were slow speed and specific to a particular function, like: keyboard, mouse, audio in, audio out, serial RS232 port or printer port.
- Now when a device is connected to a computer USB port is must identify itself so that the computer can recognize that device and ensure it can locate the correct software drivers.
- The smart card had a similar serial port with similar functionality. Since there were multiple card types, the card will "Answer to Reset (ATR)" with a locator code to identify it.
- New hardware Security Tokens for User Identifiers and Attributes are built to connect directly to the USB port and provide similar locator codes.
- Since the first Smart Card was issued, portable identification devices have needed to issue Locator Codes of some sort which allow the attachment to acquire a software driver to support the card.
- Smart cards have worked well for controlled environments like: governments, colleges and corporations. Consumers have never been willing to tolerate the complexity of the card and the X.509 Certificate they needed.
- The first attempt was to add a card reader to convert from Smart Card format to USB, but the added hardware was enough to impede consumer adoption.
- Even if the USB device worked, it was not recognized by the User Agent (browser) from companies like Microsoft, Apple and Google.
- Early, unsuccessful USB solutions put the User Identity into a Smart Card chip embedded in a USB fob using the existing X.509 Certificate and Public Key Infrastructure.
- The current solution started as a browser add-on from Google that would allow security keys that were plugged into the computer to be queried by the browser and perform a function just like "Answer to Reset".
- A similar solution for Smart Phones include NFC and Bluetooth, explained elsewhere, none of which provide a secure physical connection.
- An alternate solution for devices with Trusted Execution Environments is to place the User Identifier and Attributes into a well-secured location within the device itself.
USB Security Tokens
Selected details about USB
- The Microsoft Universal Serial Bus (USB) page has general information: https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/
- A good description of the HUMAN INTERFACE DEVICE (HID) is provided by Silicon Labs: https://www.silabs.com/documents/public/application-notes/AN249.pdf
- Source of reference code for FIDO U2F created by Google (u2f-api-1.1.js): https://github.com/google/u2f-ref-code
- FIDO specs for using USB HID https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-hid-protocol-v1.2-ps-20170411.html
- Linux-USB list of all vendor IDs (yubico-1050): http://www.linux-usb.org/usb.ids
Selected sources of USB Late-Binding Security Tokens
- eft lab, Smart Cards - Answer To Reset (ATR). https://www.eftlab.co.uk/index.php/site-map/our-articles/169-demystifying-atr-answer-to-reset