Informal security chat with our host Reece Guida, Beyond Identity's CTO Jasson Casey, Product Evangelist Nelson Melo, and special guest Kevin Korte, President of Univision North America Inc., on moving away from passwords.

Transcription

Reece

Hello, welcome. It's time for "Cybersecurity Hot Takes" with me your host, sales lady Reece Guida, and to my left, the one, the only, Nelson Melo. Who are you, Nelson? 

Nelson

Hey, I'm the founding engineer. 

Reece

Great, thanks. Jasson? 

Jasson

Thank you. I'm Jasson, CTO. 

Reece

There we go. And last but not least, coming from Austin, Texas. 

HB

Husnain Bajwa. Everybody calls me HB, and I do product strategy here. 

Reece

Amazing. So today's topic, credit cards. The hot take, are credit cards bad? No, I'm just kidding. The hot take for today is credit cards set the precedent for passwordless. Now, what exactly do I mean by that, Nelson? 

Nelson

Oh, man. So, this is me kind of trying to learn a little bit about Java cards and smart cards and realizing that I know very little about EMV and EMVCo. 

Jasson

What is EMV and EMVCo? 

Nelson

So, what I've learned since is that EMV stands for Eurocard, Visa, and MasterCard. It's a international kind of regulatory thing, just like FIDO that wrote the books on how to specify Java cards for the payment industry. EMVCo is that thing, and EMV is the set of standards that they put forward. 

There are four books that specify the whole thing, and I'm starting to read one of them because... 

Jasson

When were they written? 

Nelson

I think the early '90s, but they've been iterated on ever since. So, there's a few versions of it. And it's completely open. You can go get the four books and understand how that works. But it was interesting to me because I didn't know that SIM cards are a type of smart card. It's Java card and you can code it and you can build your own if you want. 

So, I wanted to hear everybody's thoughts on, you know, how fun is that. 

Jasson

So, I actually remember, I think it was late '90s when I saw the SIM cards as well as some of the new credit cards, and I saw this funky little contact pad design, right? So, like, chips are real small. When you wanna make contacts with certain things, you typically have this, almost like a facade or an adapter that makes things a little bit bigger. 

So you have interesting... Anyway, I was looking at it, and I was fascinated by the fact that, wait a minute, there's a JVM on this thing, and if I just walk through a system, it will either apply power or there's an induction coil in here that will produce enough power to make this thing execute long enough to sign a challenge. 

That's really freaking cool. 

Nelson

You know what's funny? They got no garbage collection. When you wanna create something and have it persist, all you have to do is keep a link to it. It's like reference counting, garbage collection. So, to delete something... 

Jasson

Sounds like global memory, but... 

Nelson

Yeah, so how you store stuff is with link lists. 

Jasson

Holy smokes, a world without garbage collection, a world where you have to manage references? 

Nelson

Ain't it kind of cool? 

Jasson

How could such a world exist? Yeah, it's super cool. 

Nelson

And there's a lot of research in how to reverse engineer, and how to...if you have physical access and you can decab the chip, how to figure out what stuff is stored. So, of course now you try to put stuff in different places and use layers of the chip to obfuscate where you're actually storing data. 

Kind of cool. 

Jasson

It is kind of wild to think that for the most part, we're really talking about 40-some-odd years ago. Some computer scientists, mathematicians first showed us a way how to make certain computations are easy in one direction or hard in another, and you could actually use that as a stand-in for a signature. 

And then in the '90s, we had the standard come out, and how we knew the appropriate person was using a card to pay for something using that technique, right? Basically, this little chip's got a key on it. It's basically signing something with that key. And fast forward to today, and, you know, TPMs, the Apple T2, like, it's not that dissimilar of at least a high-level architecture that's on the die, that's on the device that we're now using to log into stuff. 

Nelson

Yeah, I didn't know this. You can get credit cards with biometric readers now. 

Reece

Wait, wait, how does that work? 

Nelson

It's kind of fun. Like, if you Google... MasterCard actually sells a version, so if you're a bank, I guess you could go get one for yourself and give it to your customers. With a biometric reader, and it's powered by the reader, so it's contact, you have to insert it, but you have to be touching the reader while you're doing the transaction. 

Jasson

So, here's the interesting question, is it a local biometric? Like, is the biohash part of the guard to... 

Nelson

It is. 

Jasson

...like, key sign? 

Nelson

Yeah. 

Jasson

That's cool. That's pretty cool. And also very much in the spirit of a TPM. 

Nelson

Another thing I didn't know is YubiKeys are smart cards. So, how they build their entire architecture, they use the same kind of chips. They use Infineon chips, NXP chips, and they built on ISO 7816, which is the smart card contact standard. And you can download the Apple source code for a lot of Yubico stuff. 

They do PIV, they do TLTP generation. 

Jasson

I'd be surprised if they weren't trying to move beyond that though, and, like, adopt more of a TPM-style computation. Like, or... 

HB

It is surprising. 

Jasson

You didn't see that anywhere, huh? 

Nelson

No. So, they've evolved which chips they used over the last couple years. This is my understanding. Somebody did a comparison. They started with NXP chips, Titan 2. Sort of external TPM Google-built uses an NXP chip, and then they went to Infineon, and I think now they're doing something else. 

Jasson

Interesting. Interesting. So, yeah, NXP is part of the big roll-up with ARM, right? It was a Dutch company. And Infineon is one of the big manufacturers of TPM chips as well. In fact, I've got one on my desk back home playing with for a project. But, yeah, that's surprising. 

I'm really surprised... Well, we can conjecture about what other people are not doing all day long. 

Reece

I kind of wanna conjecture about what your project is. Top secret? 

Jasson

Oh, no, no, no. Actually, it's pretty simple. So, I have a hard time understanding a thing if I don't try and do it myself. So, like, for me, learning a new topic starts with reading stuff, starts with whiteboarding stuff, but ultimately has to culminate in building stuff. Otherwise, it just doesn't stick. The conceptual idea of a TPM is very easy to understand, but using some of the more advanced functions of a TPM are conceptually challenging, and I think it sticks a little bit better if you actually try and do it. 

So, there's this part of TPM chips called extended authorization policies. So to back up, right, TPM's like a little processor, you can construct a key in a TPM, and it lives in a little jail, assuming you set it up correctly, and the key will never come out of that jail. So, the really cool thing is that means the key's never in my computer's memory. It's never in my computer's file system, has a really tiny surface area that really involves attacking the chip itself, which usually ends up being destructive, which means it's a high-cost attack that requires physical access, blah, blah, blah. 

So, using that key is... So, that part makes sense. But there's this thing called the extended authorization policies, where you can basically say, you can instruct the TPM to only allow the key to be used under certain circumstances. And there's simple circumstances that we've kind of covered already. Like, you could maybe tie a pin to the key, you could tie a biometric to the key, but EA or extended authorization policies is a little logic language. 

And so it actually has conjunctions, it has disjunctions, and you can build a chain of these sorts of things. And it has counters, so you can create a key that only could be used on Tuesdays. But some of the more advanced things you can do is you can tie into these registers called PCRs. Every time I try and recreate what PCR stands for, I keep thinking of polymerase chain reaction, which is not what it is. 

Reece

Same. 

Jasson

So, is it program counter register? I always forget. But the point of the PCR is it's this cyclic check...or it's this, like, a checksum, a cryptographic checksum. And when the TPMs reset, the registers are all zero, and every time you call this operation called Extend, it basically takes whatever values in the register, whatever value you're passing it can be used as new checksum and stores that in the register. 

HB

I think this is awesome, right? Because, like, the reality is that 45 years ago, the seminal RSA paper gets written by a bunch of guys who are super young, and 45 years later, we can still work and truly understand all of the items involved in trusted computing from, like, a fundamental, like, level. 

So, that's been super cool in my opinion. Like, listening to Jasson's plans and what he's gone through. Going back to, like, what we were talking about with credit cards, right? 

Reece

The humble credit card. 

Jasson

Sorry. 

HB

No, no, no, like, around the same time that the RSA paper was being written was when debit cards were first having to put pin codes on themselves, and obviously at that time, they weren't able to do any of the modern tricks and tools that we used to get local pins and protected pins and all of this, like, unforgeable, physically unclonable kind of functions that go into, like, building HSMs and TPMs and all of these other kinds of, like, cool gadgets. 

But, like, you know, a lot of people... There's been a lot of talk about, like, CISA putting out guidance saying that PKI is not widely deployed or broadly available. I think the credit card industry and the GSM SIM card industry would kind of disagree. 

I think it's been traditionally kind of difficult, but X509, PKCS11, crypto key, smart cards, all of these stuff are really mature technologies that we simply were able to put together in a different kind of configuration. But billions of people use this, and I think it's important for people to remember that. 

Like, when Microsoft first started doing their passwordless initiatives and Bill Gates gets harassed for having said at an RSA conference that he was forecasting the death of passwords, his original idea was to support smart cards in Windows, and it was really, like, you know, a direct relationship to the credit card industry and the SIM cards that were super popular at the time. 

So I think it's really cool that we've been able to get to the point where that, like, really high-quality hardware storage that's found on the credit card is found in a much more configurable form in the computers. 

Nelson

And they did, right? So to VPN into Microsoft's network for a while, you got PCs with PCMCIA readers where you would drop in your employee batch that had a little smart card chip. That's how you would provide credentials for your VPN connection. 

Reece

That's so cool how all this technology is interconnected, and I love it when we travel back in time to reflect on where we started and where we are today and where we're gonna be with Jasson blazing the trail with his tinkering at home. 

Jasson

Math hasn't changed. 

Reece

Yeah, math is timeless. We are but mere mortals. And with that, I will leave you. Thanks for tuning in. Please like and subscribe. And my co-hosts said that they thought the good riddance thing was funny, so I'm gonna say it again, good riddance.