Bring Your Own Token (BYOT) to Replace the Traditional Smartcards for Strong Authentication and Signing

Conference:  BlackHat EU 2019



Smartcards are a good way to enable strong authentication to enterprise network and applications as they provide identification, authentication, and ability to store cryptographic key information on the card using the embedded microchip and memory. The enterprises can provision the smartcards with a digital identity, in the form of a X509 certificate uniquely associated to a user, to enable smartcard logon to servers and Mutual TLS Authentication to services. Traditionally, hybrid cards that provides both the proximity card and smartcard functionalities are used for this purpose, so that the users can have a single card for both facility access as well as strong authentication to IT servers/applications. There are some limitations and challenges with using the single card as both proximity and smartcard. The proximity cards can generally pre-provisioned in bulk as the association of the user identity to the proximity id can be done after the card is assigned to a user. But for the smartcard, the X509 certificates provisioned to the smartcards contain the user information that must be known at provisioning time. This slows down the provisioning process. There are also other challenges related to issuing replacement/temporary cards for lost or misplaced cards. This whitepaper describes the solution implemented at Cisco, to replace the traditional hybrid smartcards with Bring Your Own Token (BYOT) model, to overcome the limitations and challenges with the traditional smartcard solutions. The solution enables users to bring their own USB tokens that are compatible with Personal Identity Verification (PIV) and Chip Card Interface Device (CCID) standards, to self-provision the digital identities needed to enable strong authentication, signing and other cryptographic functions.