Using a hardware token for login

Question

I am new to the topic of cryptography and am studying PKI and PKCS etc. I understand the basic concept of PKI and how it is used for encryption/decryption. I am confused however about how a hardware token like a USB token or a smartcard is used for secure login to your computer. Here are steps as I understand them and the part I am confused by (sorry in advance for the question length):

Scenario: Computer xyz on the network contains data that only users who belong to the group SECRET can access. Users Bob and Joe are in this group and have been issued USB tokens that they can use to provide credentials that will enable them to access these resources. The USB token employs two-factor authentication and requires a pin to be input. The token is PKCS11 compliant.

1. Bob inserts the USB token into Linux machine
2. A PAM-PKCS11 module recognizes this event and prompts Bob to enter his pin.
3. Once Bob correctly enters his 4-digit PIN, the module checks for the validity of the certificate on Bob's token by (this varies, but what is minimum?):
   • Locating the root certificate to check for a trusted CA
   • Checking certificate validity dates and revocation lists
   • Matching ID on token against user file (where?, missing a step) or directory (LDAP, etc.)
4. If all looks good, module informs PAM of the successful result.
5. This line is labeled sufficient so PAM accepts authentication and Bob is logged in and can view information restricted to users from the SECRET group.

The part I am missing is where is the information stored about whether or not Bob can access this machine and how exactly he is tied to Bob the network (or even desktop) user. I understand that other identifying data about Bob will be stored on the USB including an ID (e.g., email address). However, how is this strong security? Where is crypto being employed during the login process, if at all (or is that not the real purpose of these tokens)? If someone gets hold of the USB and knows the 4-digit pin, that appears to be all that is needed, right? Moreover, is it essentially the trust in the CA that allows is to trust that another user can't get a new USB token and use a trusted CA to get a new certificate but specify all identifying data to be the same as Bob's? I know there is some critical part I am missing .. but after reading dozens of articles, explanation of this area seems glossed over. Is it a good idea to use a hardware token as a sufficient means for authentication to login to a machine containing sensitive data? Or is the purpose of such tokens primarily to securely store key pairs that are used in other applications?Thanks for your help!

Answer 1

PAM (as the name suggests) only handles Authentication. Authentication is about proving who the user is, i.e. "Prove to me who are who you say you are." This is seperate from Authorization which is, i.e. "Do you have access to this resource?".

There are three aspects to Authentication:
1. I Know
2. I Have
3. I Am

A typical username/password combination fits into 1. While a token, or other PKCS device, fits into 2, and biometrics such as iris recognition or fingerprint reading fits into number three.

The more of these aspects you have in your security the better/tighter the security is. In this case the login fits into 1 and 2 so is more secure than just a user name and passowrd. If someone was to get his pin out of him and steal his device then yes it won't proove that it is bob using it. But then neither would it if Bob gave his username and password to someone either.

The point of the token is to introduce the second factor of "having" something, the fact that you also need a PIN means that "knowing" something is also required. So the system can then have more confidence that the person is who they claim to be.

The missing part you are referring to is Authorization this as stated is a seperate process to Authentication and happens only after the user has authenticated themselves. In this case PAM has Authenticated Bob and provided confirmation to the OS that Bob is indeed using the system. However, the OS would then have to perform some other check in step 5 to confirm that Bob had access to the resource.