Online Banking Security Series 1: domestic online banking USB Key security assessment

USB Key is a hardware storage device for USB interfaces. The USB Key is similar to a general USB flash drive. The difference is that it stores a single chip microcomputer or a smart card chip. the USB Key has a certain storage space and can store users' private keys and digital certificates, the USB Key's built-in public Key algorithm can be used to authenticate user identities. Currently, USB keys are widely used in online banking in China and are recognized as secure identity authentication technology.
USB keys are used as carriers of customers' digital certificates and private keys in online banking. It is extremely critical to identify users on the network. The primary key issue for online banking is security. Security is the foundation of everything. It is better to have online banking without security. According to some news, the theft of several hundred million yuan from a certain Chinese bank through online banking has brought a huge negative impact to online banking. This has caused people to doubt and worry about the security of USB Key online banking authentication.

This article will discuss in detail the security and possible risks and vulnerabilities of USB keys currently used by online banking in China from a technical point of view. Of course, the security of an online banking system involves a lot of theoretical knowledge, not only the comprehensive knowledge of the university course cryptography, but also the latest product developments of encryption locks and USB keys, it is not that simple to conduct a comprehensive online banking evaluation. This article also serves as an example for further discussion.

Industry security experts generally agree that USB keys are secure and reliable. Why are USB keys safe? At present, there are several important performance indicators that can demonstrate the Security of USB keys.

1. Hardware PIN protection

Hackers can log on to the system only by obtaining the USB Key hardware and PIN code of the user at the same time. Even if the user's PIN code is leaked, the user's identity will not be counterfeited as long as the user's USB Key is not stolen. If the user's USB Key is lost, because the hacker does not know the user's PIN code, he or she cannot impersonate a legitimate user's identity.

2. Secure storage media

The USB Key is stored in a secure medium and cannot be directly read by external users. The read/write and modification to the Key file must be called by the program in the USB Key. From outside the USB Key interface, no command can read, modify, update, or delete the content of the Key zone.

3. public key cryptography

The public Key cryptography system and digital certificate ensure the security of the USB Key from the perspective of cryptography. When the USB Key is initialized, the cryptographic algorithm program is first burned in the ROM, then, a pair of public/private keys are generated through a program that generates a public/private Key pair. After a public/private Key is generated, the public Key can be exported outside the USB Key, while the private Key is stored in the Key area and external access is not allowed. When digital signatures and asymmetric decryption operations are performed, password operations involving private keys can only be completed within the chip. during the entire process, the private Key does not come out of the USB Key medium, this ensures the security of digital certificate authentication with USB Key as the storage medium.

4. hardware implements encryption algorithms

The USB Key has a built-in CPU or smart card chip to implement various algorithms for data summarization, data encryption and decryption, and signature. The encryption and decryption operations are performed in the USB Key, this ensures that the user key does not appear in the computer memory.

The above points are the technical guarantee of USB Key security in theory. However, from the technical perspective, these security performance indicators often have some vulnerabilities that are easy to ignore.

1. Is the hardware PIN safe?

Currently, most banks use USB Key pins, which are input from computers. Therefore, hackers can directly intercept USB Key pins through Trojans, this is also a vulnerability in most USB keys. After knowing the PIN code, if you forget to remove the USB Key from your computer, the hacker can further use the PIN code to operate the USB Key. In a very extreme situation, when a personal user's computer is completely remotely controlled by hackers and all keyboard and screen operations are intercepted, is the current USB Key secure? I don't think so, because at this time, the USB Key PIN code may be intercepted by hackers. After a user completes a USB Key operation, if the USB Key is not immediately pulled out, then hackers are likely to forge a transaction during this period, and the USB Key and pin code can both be verified.

2. Is it true that the external cannot read the Internal Key of the Key?

The USB Key cannot be directly read from the outside theoretically. This "theory" refers to the absolute design security, if the person who designs and writes the USB Key OS COS leaves a backdoor on the COS, the person can read the internal Key from the outside.

3. Digital Certificate

The public key and password system is indeed very secure. It is difficult to crack through a complex certificate management system. But is the digital certificate issued by a third-party CA? Some banks have issued their own digital certificates, which severely compromises PKI Security Authentication.

4. How to ensure communication security

Although the USB Key has a built-in CPU or smart card chip to complete encryption operations, the data uploaded from the computer to the USB Key may still be intercepted and modified, the CPU built into the USB Key can only ensure its own operation security, but it is difficult to ensure that the data is not modified before it is passed in.

So what would the ideal secure USB Key look like?

1. For the current USB Key keyboard input PIN code vulnerability, you can use biotechnology (such as personal fingerprint) to replace the keyboard input PIN code.

That is to say, when a transaction is connected to a USB Key, we do not need to enter a PIN code on the keyboard to verify the identity. We only need to press the fingerprint on the USB Key device, you can automatically authenticate your personal identity. The security and practicality brought by this identity authentication mechanism is an improvement in the Cross-era. You can no longer forget your password. You only need to verify your fingerprint, fingerprint verification is performed on external devices. Even if the computer is under full control of hackers, the user's fingerprint cannot be captured, thus ensuring the uniqueness and security of the PIN code.

2. Prevent COS from leaving backdoors in design through management or auditing.

3. digital certificates should be issued by the CA, an authoritative third-party security certification institution independent of users and banks, and cannot be issued by banks themselves.

4. The transaction amount is input from the USB Key to prevent data tampering before being transferred to the USB Key.

If the above security measures are adopted, the security of the USB Key can be said to be "impeccable", and the actual security can be improved in essence.

Of course, I also know that a safer USB Key will inevitably lead to an increase in costs, which is not conducive to large-scale application promotion. At present, the cost of the usb key of the smart card has already exceeded 50 RMB, the price of USB keys released by commercial banks to the end customers is higher. For example, the cost of USB keys issued by China Merchants Bank is 88 yuan, while that of ICBC is 76 yuan, the cost of adding these new security measures is still quite large. In practical applications, it is feasible to require a low-cost alternative solution.

So how can we operate the existing USB Key more securely? My suggestions are as follows:

1. confirm with the bank that the digital certificate in the USB Key is unique and the user should carry the USB Key with him.

2. Scan the computer to check whether the computer has a trojan or is remotely controlled.

3. Do not access the USB Key on the computer, but only access the Key during transaction.

4. Access the USB Key during the transaction. after entering the PIN code, immediately remove the USB Key.

If you can use the USB keys of CMB and ICBC as recommended, you can also improve the security of existing hardware.

All in all, the main advantage of the current USB Key is that it has a CPU, similar to an encryption lock or dongle, and can perform encryption algorithm operations such as RSA. The private Key cannot be read, and the cost has a certain advantage, therefore, it is widely used in network authentication and other fields. More and more people will use USB keys as tools for daily financial management or other online transactions, as the earliest, most mature, and most promising online banking application in China in this field, we should keep up with each other in terms of technology and application to find a remedy for the potential security vulnerability of USB Key in a timely manner.