One-factor authentication (user IDs and password) is still the most widely used method, primarily because it is simple, easy and there are no pieces of hardware to configure. But there are many applications where this is just not secure enough. In two-factor authentication, not only do users need to know a PIN but they also need to possess the correct token. This higher level of security, combined with the token's memory and cryptographic processing capabilities, makes it particularly attractive as a solution for many situations such as digitally signing documents and mails and authenticating the user remotely for access to corporate networks through VPNs.
Physically, the iKey 3000 token is small and purple, around the same size as a door key, with a USB plug at one end and a green LED and a key ring hole at the other. The plastic body has a fine finish and is fairly robust under normal circumstances, although the review sample could be prized apart fairly easily to reveal the printed circuit board and chips inside, wrapped in yellow transparent tape.
In situations where people wear tokens on a ribbon around their neck, the token should be fairly safe, but where this is not practical, it will probably end up on a key ring with the user's house and car keys - this also solves the problem of arriving at work without it. In these circumstances, the unprotected USB end is susceptible to damage, which if severe enough, could stop the token from fitting into the USB socket on the computer.
Inside, there is 32Kb of EEPROM of which 12Kb is used by the operating system, leaving approximately 20Kb - enough space to store a number of X.509 certificates and PGP keys. The iKey has a secure processor chip and runs the Giesecke & Devrient STARCOS SPK 2.3 operating system which has been ITSEC E4 High certified. Random number generation, generation and storage of keys, and resistance to known attacks are also part of the ITSEC E4 High evaluation. Public and private keys are generated on the token, as are all digital authentication and signing operations, thus precluding interception of private keys on the computer's USB port. The USB interface runs at 1.5M Baud, making key operations on a token with a few certificates on it take one to two seconds.
The iKey 3000 is supported by a number of operating systems, and supplied with drivers for: Windows 95 OSR 2.1 or above, Windows 98 SE, Windows NT 4.0 SP3 or above, Windows 2000, XP Home and XP Professional. In addition to this, a number of Linux distributions are also supported, with rpms for SuSE 8.1, Redhat 8.0 and 9, and Mandrake 9.1, allowing the user to integrate the token with SafeSign into Mozilla 1.3 and Netscape 4.8 with their respective mail clients.
Token initialization, PIN and certificates are managed with the SafeSign Token Management utility. First of all, a token is initialized with its new PIN, PIN unblocking key (PUK) and friendly name. The program insists that both the PIN and PUK must be between 4 and 8 characters long and will not allow you to proceed unless these conditions are met. With the initialization done, a key pair can be generated and a certificate obtained - by following the example with the token the curious can generate a free trial VeriSign certificate and then import it onto the iKey for demonstration purposes.
Right-clicking on the token and selecting 'Show Token Objects' from the menu displays the PKCS#11 dialogue box. This shows the publicly available information on the iKey such as label, serial number, status and so on, in addition to the token contents showing the certificates. Clicking on the 'Show All Objects' button forces the user to enter his or her PIN before private key information is displayed. Clicking on 'Show Registered Digital IDs.' displays the digital IDs, certificate contents and certificate path, allowing the user to see if any digital IDs will expire within the next 30 days.
The iKey integrates into Windows 2000, 2003 and XP's virtual private network, providing authentication and cryptographic information for a particular session. In addition to this, it integrates into a number of web browsers for authentication and signing web-based contracts, and mail clients for digital signing and encryption. These include, amongst many others: MS Internet Explorer 5.0, 5.5 and 6.0, Netscape Communicator 4.7, Navigator 4.72 - 4.8, Messenger 4.72 - 4.8, MS Outlook 98, 2000 and XP, MS Outlook Express 5.0, 5.5 and 6.0, and Baltimore MailSecure.
A typical area where security is enhanced by two-factor authentication is employees taking work home with them. Such a user might use a laptop with Windows XP Home edition and MS Outlook Express. To send a secured mail on such a system, users click on the 'Digitally sign message' and 'Encrypt message' icons; when they send the mail, the program asks for the PIN and the mail is sent. If entered incorrectly, a warning is displayed, stating that the token can be locked; this happens on the third consecutive incorrect PIN entry. A locked token can only be unlocked using the PUK.
The iKey 3000 is small and easy to use, providing an extra level of security that is necessary for so many applications. Its size makes it particularly convenient, with many users keeping it with their car keys so that they never go to work without it. By Paul Grosse