Universal Serial Bus (USB)
Full Title or Meme
Nearly all computers and other portable devices now support a single Universal Serial Bus (USB) for both data and power.
- Legacy serial ports on computers were slow speed and specific to a particular function, like: keyboard, mouse, audio in, audio out, serial RS232 port or printer port.
- Now when a device is connected to a computer USB port is must identify itself so that the computer can recognize that device and ensure it can locate the correct software drivers.
- The smart card had a similar serial port with similar functionality. Since there were multiple card types, the card will "Answer to Reset (ATR)" with a locator code to identify it.
- New hardware Security Tokens for User Identifiers and Attributes are built to connect directly to the USB port and provide similar locator codes.
- Since the first Smart Card was issued, portable identification devices have needed to issue Locator Codes of some sort which allow the attachment to acquire a software driver to support the card.
- Smart cards have worked well for controlled environments like: governments, colleges and corporations. Consumers have never been willing to tolerate the complexity of the card and the X.509 Certificate they needed.
- The first attempt was to add a card reader to convert from Smart Card format to USB, but the added hardware was enough to impede consumer adoption.
- Even if the USB device worked, it was not recognized by the User Agent (browser) from companies like Microsoft, Apple and Google.
- Early, unsuccessful USB solutions put the User Identity into a Smart Card chip embedded in a USB fob using the existing X.509 Certificate and Public Key Infrastructure.
- The current solution started as a browser add-on from Google that would allow security keys that were plugged into the computer to be queried by the browser and perform a function just like "Answer to Reset".
- A similar solution for Smart Phones include NFC and Bluetooth, explained elsewhere, none of which provide a secure physical connection.
- An alternate solution for devices with Trusted Execution Environments is to place the User Identifier and Attributes into a well-secured location within the device itself.
USB Security Tokens
This section will consider one FIDO U2F Security Token in particular, although many other examples exist with the publication of the Web Authentication spec. For USB implementations the U2F Security Token uses the HID (Human Interface Device Protocol) as that is implemented by all computer that have USB port, which means that the appropriate low level USB driver software is already installed on all of those computers.
A unique Usage Page is defined for the FIDO alliance and under this realm, a U2FHID Usage is defined as well. During U2FHID device discovery, all HID devices present in the system are examined and devices that match this usage pages and usage are then considered to be U2FHID devices.
- Acquire a Yubico Touch U2F Security Token and attach it to USB port on Windows.
- USB driver receives "USB Device Added" with Locator Codes: idVendor= 0x1050 and idProduct = 0x0120
Selected details about USB
- The Microsoft Universal Serial Bus (USB) page has general information: https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/
- A good description of the HUMAN INTERFACE DEVICE (HID) is provided by Silicon Labs: https://www.silabs.com/documents/public/application-notes/AN249.pdf
- Source of reference code for FIDO U2F created by Google (u2f-api-1.1.js) which is installed on pretty much all U2F supporting Web Sites as is: https://github.com/google/u2f-ref-code
- FIDO specs for using USB HID https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-hid-protocol-v1.2-ps-20170411.html
- Linux-USB list of all vendor IDs (yubico=1050): http://www.linux-usb.org/usb.ids
Selected sources of USB Late-Binding Security Tokens
- eft lab, Smart Cards - Answer To Reset (ATR). https://www.eftlab.co.uk/index.php/site-map/our-articles/169-demystifying-atr-answer-to-reset