Why use a Smartcard for (Two Factor) Auth instead of another medium?

Question

I recently installed Bitlocker on my Windows 8.1 machine, using only a password. I was thinking of getting something other than just a password for my storage drive, something physical, like a USB, SD Card, or Smart Card!

I've asked and poked around, and people claim the following:

When given the choice of a Smart Card and another storage medium for 2FA, or regular authentication, go for the Smart Card, as it is safer.

I can't really find why it would be safer, an encrypted SD Card switched to "read only" with the side switch would just be as safe as the Smart card, correct? (That is to say, a USB drive can be overwritten by Malware, etc.).

Is this advice accurate? Why or why not? Is a Smart Card indeed safer?

Answer 1

A smart card works by keeping a secret hidden and answering a challenge that proves it has the secret. It, theoretically, should never reveal that secret to anyone and it should be unrecoverable. There are some technical ways you might be able to get around it, but most of them are destructive to the card. This means you know if your smartcard has been compromised.

An encrypted USB drive or memory card on the other hand can simply be copied. There is no mechanism protecting it from being cloned by an attacker. There are some USB sticks that do provide hardware protection to prevent unauthorized access and these would make a more viable option, but it would be a toss up as to whether even those were as well protected as a good smartcard.

Answer 2

It's (theoretically) harder to duplicate a Smart Card. You can duplicate a USB drive easily.

If I steal both, you are equally in trouble, but if I steal the USB, duplicate it, then replace it without you knowing, then you are in trouble and you don't know it.

Answer 3

Disk encryption requires the host to keep or derive a master key which is kept somewhere in memory so that's your biggest issue. I've implemented aspects of the SafeNet ProtectFile product and other smart-card stacks so I'm intimately aware of the challenges.

Don't for a minute think you have any real security. There are "digital forensic devices" that snapshot and analyse system memory just by plugging a USB stick into a device port, they exploit USB hardware "bugs". Banks have been known to remove or Aryldyte USB ports on workstations because of these known problems. Its almost trivial to acquire the disk encryption key out of memory and then decrypt a hard disk with the tools that are available. This is one aspect of how law enforcement is able to gather evidence and bring criminals to justice.

For your particular use case, nothing is more secure than what you can hold in your head. So its a question of whether you think your brain is more likely to lose information than some piece of technology.

I would use a long meaningless phrase and change it periodically based on your level of paranoia. Pronounceable pass phrases are easier to remember and providing you use a long enough one you have better security than any device (including smartcards) can provide in this instance. I include Availability as a dimension of security and for personal use I prefer the Availability characteristics of my person more than flash which could be acquired if I am incapacitated. Enterprise's may prefer an alternate model that doesn't rely on wet-ware to be alive and functioning to maintain availability.

Smart-card messaging protocols cannot prevent a MITM attack between the card chip and the host computer without a pre-agreed secret (this is distinct from the card PIN and is actually used to protect message flow between card and host/computer) and there are many surreptitious ways to eavesdrop USB. Setting up this secret on all cards to be used on all machines/workstations represents a royal configuration nightmare in enterprise deployments, so it is rarely ever done and fixed well known keys built into the smartcard stack are used. Even if you did go to the trouble, you now have a secret installed in all over the place, so its hardly secret anymore. For this use case a smartcard is just hand-waving, and really no better than typing something on a keyboard, but it can fail more easily or be "lost"/"stolen".

So given a smartcard cannot give you more than keyboard level security in this particular use case, I would use either use a long pass-phrase or consider a read-only flash stick containing a large chunk of random data with a passphrase/password and make sure you keep a secure offline backup of that cheap Chinese flash!

Answer 4

I see two points:

1. you can set a PIN for Smartcards to unlock. Unlike passwords, this PIN can't be offline brute-forced, as long as the smartcard isn't opened and modified. It has protections built in to prevent this. They are not impossible to break, but they offer very good protection.

2. It depends on the configuration of the smartcard itself, but most likely you have an un-copyable (as in very hard to copy) smartcard. The content of USB-sticks however can always be copied, and when you try to introduce copy protection to USB-sticks you basically want to create a smartcard.

Answer 5

Reasons for why a smart card is preferred medium for protecting encryption keys (eg. authentication token for your encryption):

1. By design Smart Cards chip contents are very difficult to be extracted, not impossible but difficult, definitely in reach of state funded agencies, but inaccessible to masses.
2. If done correctly (using cryptographically safe pseudo random number generator, CPRNG for short) private keys are generated on the cards chip, which make them extra robust as there is no copy existing outside.
3. Usually smartcards are used with a public key infrastructure and contain a signed certificate that ensures additional security.
4. PIN and PUK codes are stored encrypted (again if implemented correctly) so it would be very difficult to store them.
5. Most of the cards have a fuse mechanisms built in the chip, which literally sends a spike of current to burn the wire used to write to the chip making a part of smart card storing the private key a read-only segment.
6. Considering that the private key is unique and signed certificate is managed by the PKI with registration authority validating your data and the CA issuing your certificate a smart card is truly something you "have" and the pin is something you "know" whereas other hardware solutions may be easy to copy or be extracted.
7. Smart cards allow for being managed the PKI should be able to revoke a certificate if you loose your card which should make it useless.

Having all 7 points in mind, you should know that its all theory and there are many pit falls you may fall in when using smart cards. Their safety is dependent on multiple factors. With most important of them being:

1. CA issuing the certificate should follow good standards for identity validation (Registration authority and registration officer should thoroughly check every request not to issue a rouge certificate).
2. The keys should be generated using good CSPNG.
3. PIN and PUK encryption keys should be well protected by the issuing authority (PKI standards).
4. A system validating your certificate should be configured for OCSP without a CRL fallback which is less secure as the CRLs tend to have long validity periods.

To answer you question, the Smart Card is not safer (than what?) and/or safe. Smart cards like any other security solution come with its own set of risks that need to be acknowledged, analyzed and mitigated or accepted. However, smart card is a robust security solution when implemented right compared to other devices. They also have a good track record and earned trust in the industry which is also important factor.

Answer 6

Nobody has mentioned how public and private keys work in a different context. So your private key gets stored with wherever you log in, and on the card/media device, public key is, well public but consists of prime numbers (RSA). When you go to log in if your key doesn't match the server where you logins key's on file you won't be able to log in despite having the correct login information. U2F.