Bring Your Own Token (BYOT) to Replace the Traditional Smartcards for Strong Authentication and Signing

Presented at Black Hat Europe 2019, Dec. 4, 2019, 4:50 p.m. (50 minutes)

Smartcards are a good way to enable strong authentication to enterprise network and applications as they provide identification, authentication, and ability to store cryptographic key information on the card using the embedded microchip and memory. The enterprises can provision the smartcards with a digital identity, in the form of a X509 certificate uniquely associated to a user, to enable smartcard logon to servers and Mutual TLS Authentication to services. Traditionally, hybrid cards that provides both the proximity card and smartcard functionalities are used for this purpose, so that the users can have a single card for both facility access as well as strong authentication to IT servers/applications.

There are some limitations and challenges with using the single card as both proximity and smartcard. The proximity cards can generally pre-provisioned in bulk as the association of the user identity to the proximity id can be done after the card is assigned to a user. But for the smartcard, the X509 certificates provisioned to the smartcards contain the user information that must be known at provisioning time. This slows down the provisioning process. There are also other challenges related to issuing replacement/temporary cards for lost or misplaced cards.

This whitepaper describes the solution implemented at Cisco, to replace the traditional hybrid smartcards with Bring Your Own Token (BYOT) model, to overcome the limitations and challenges with the traditional smartcard solutions. The solution enables users to bring their own USB tokens that are compatible with Personal Identity Verification (PIV) and Chip Card Interface Device (CCID) standards, to self-provision the digital identities needed to enable strong authentication, signing and other cryptographic functions.


  • Eric Hampshire - Information Security Architect, Cisco Systems, Inc.
    Eric Hampshire has worked at Cisco in the InfoSec department since 2000 and was involved with the evolution of Cisco's strong authentication service offerings throughout. First, he took over primary support of the SPA infrastructure in 2001 and began to advocate for smartcards in 2002. He peer coded the BYOT/CryptoID portal and client. He is now part of the Cisco internal PKI team providing PKI services to all facets of Cisco's business (manufacturing, IT, engineering, customers).
  • Karthik Ramasamy - Information Security Architect, Cisco Systems, Inc.
    Karthik Ramasamy has worked at Cisco since 2008 and is currently focused on providing the Software Signing, SecureBoot, and Private PKI services to all facets of Cisco's business (manufacturing, IT, engineering, customers). He was also a partner in crime in the design and development of the CryptoID program.


Similar Presentations: