International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Security and Trust in Open Source Security Tokens

Authors:
Marc Schink , Fraunhofer Institute for Applied and Integrated Security (AISEC), Germany
Alexander Wagner , Fraunhofer Institute for Applied and Integrated Security (AISEC), Germany
Florian Unterstein , Fraunhofer Institute for Applied and Integrated Security (AISEC), Germany
Johann Heyszl , Fraunhofer Institute for Applied and Integrated Security (AISEC), Germany
Download:
DOI: 10.46586/tches.v2021.i3.176-201
URL: https://tches.iacr.org/index.php/TCHES/article/view/8972
Search ePrint
Search Google
Abstract: Using passwords for authentication has been proven vulnerable in countless security incidents. Hardware security tokens effectively prevent most password-related security issues and improve security indisputably. However, we would like to highlight that there are new threats from attackers with physical access which need to be discussed. Supply chain adversaries may manipulate devices on a large scale and install backdoors before they even reach end users. In evil maid scenarios, specific devices may even be attacked while already in use. Hence, we thoroughly investigate the security and trustworthiness of seven commercially available open source security tokens, including devices from the two market leaders: SoloKeys and Nitrokey. Unfortunately, we identify and practically verify significant vulnerabilities in all seven examined tokens. Some of them are based on severe, previously undiscovered, vulnerabilities of two major microcontrollers which are used at a large scale in various products. Our findings clearly emphasize the significant threat from supply chain and evil maid scenarios since the attacks are practical and only require moderate attacker efforts. Fortunately, we are able to describe software-based countermeasures as effective improvements to retrofit the examined devices. To improve the security and trustworthiness of future security tokens, we also derive important general design recommendations.
Video from TCHES 2021
BibTeX
@article{tches-2021-31282,
  title={Security and Trust in Open Source Security Tokens},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universit├Ąt Bochum},
  volume={2021, Issue 3},
  pages={176-201},
  url={https://tches.iacr.org/index.php/TCHES/article/view/8972},
  doi={10.46586/tches.v2021.i3.176-201},
  author={Marc Schink and Alexander Wagner and Florian Unterstein and Johann Heyszl},
  year=2021
}