WebFort Topics
Security Challenges Addressed By WebFort Cryptographic Camouflage Using ArcotID WebFort Overview Architecture Features WebFort Clients Interfaces and SDK ArcotID Authentication using WebFort WebFort Administration Console
Arcot Confidential
Arcot Confidential
Arcot Confidential
Arcot Confidential
Username
Page 2
Assurance Message
Arcot Confidential
2. User-id
@ User
Arcot Confidential
Target Website
SSL
5. Provide SPOOFED Page
2. Capture UserID
SSL
4. Provide Requested Page
6. UNTRUSTED Site Rejection Match Domain with Trusted Site List Decline if matching fails Two-Factor Strong Authentication
10
Arcot Confidential
11
Arcot Confidential
Scrambled Keypad
Works on Anti-Keylogger technology Uses Virtual scrambled keypad Position of keys changes for every session and optionally for every keystroke Patented by Arcot
12
Arcot Confidential
Cryptographic Camouflage
Private Key Protection without hardware
14
Arcot Confidential
Cryptographic Camouflage
15
Arcot Confidential
Cryptographic Camouflage
Private Key Protection
1E459FC479C3B41
Patented Cryptographic Camouflage Patented Cryptographic Camouflage ArcotID Software Key Container
Protected Key:
Each is a plausible result. The only way to determine the correct key is to sign a challenge and send to the Authentication Server. If not the right key the invalid attempt counter is incremented.
1E459FC479C3B41
16
Arcot Confidential
ArcotID : Workflow
An unauthorized person gains access to a Users desktop
If a
17
Arcot Confidential
ArcotID : Workflow
In his attempt to logon he If a challenged by the ArcotID is He assumes that this device is only protected by a password or PIN
18
Arcot Confidential
ArcotID : Workflow
..but it is also protected by Cryptographic Camouflage
If a
19
Arcot Confidential
ArcotID : Workflow
20
Arcot Confidential
ArcotID : Workflow
The brute force attack looks for the combination of characters that will produce
456789 567890 678901 789012 890123
If a
21
Arcot Confidential
ArcotID : Workflow
To his surprise... every combination produces what appears to be a
567890 678901 789012 890123
If a
22
Arcot Confidential
ArcotID : Workflow
In fact, a 6 digit numeric PIN would produce 1 million keys
123456 234567 345678 456789 567890 678901 789012 890123
If a
23
Arcot Confidential
ArcotID : Workflow
The only way to determine which one is real
345678 456789 567890 678901 789012 890123
If a
24
Arcot Confidential
ArcotID : Workflow
After 3 attempts the ArcotID is disabled!
345678 456789 567890 678901 789012 890123
If a
x
and an email alert is sent for security
Arcot Confidential
x
890123
25
ArcotID: Versatile
ArcotID Storage:
Data file loaded onto a device Data file loaded onto USB drive for portability Downloaded for on-demand roaming access
- PC, Blackberry or Mobile Phone - Optional Device-locking to a particular system
26
Arcot Confidential
27
Martin E. Hellman
Professor Emeritus (Inventor of PKI) Stanford University
* US Patent 6,170,058. Other Arcot Patents include 6,209,102, 6,263,446, 6,895,391, 6,908,030, 6,928,427, 6,959,303, 6,956,950.
28
Arcot Confidential
WebFort Overview
WebFort Introduction
WebFort is Universal Authentication server ArcotID authentication UserID/Password Q and A One Time Password Custom authentication schemes WebFort is 100% software based solution Single Centralized Administration Seamless Integration with existing user credential repositories Support for Open Standards FFIEC, SOX and HIPAA Compliant
30 Arcot Confidential
WebFort
31
Arcot Confidential
32
Arcot Confidential
WebFort Architecture
35
Arcot Confidential
36
Arcot Confidential
WebFort Architecture
Framework is the backbone for all Pluggable common functionality: Caching, Database Architecture failover, interface with authentication minimizes impact on protocols and authentication mechanisms existing components
Authentication Protocols
ASSP
Proprietary
Kerberos
37
Authentication Mechanisms
Web Services Client Issuance Web Service API Issuance Web App Login Web App Authentication Web Service API
JDBC Driver
SQL DB
WebFort Server
WebFort Server
JRE JDBC Driver ODBC Client ODBC Driver KEY
Prerequisite component WebFort provided component Sample JSP or customer app
39
Arcot Confidential
WebFort Server
JRE / JDK JDBC Driver ODBC Client ODBC Driver KEY
Prerequisite component WebFort provided component Sample JSP or customer app
40
Arcot Confidential
41
Arcot Confidential
WebFort Features
43
Arcot Confidential
Support for multiple authentication protocols for ease of deployment in a variety of scenarios Supports Proprietary and Adobe Signature Service Protocol (ASSP) Support for RADIUS and OATH
44
Arcot Confidential
WebFort supports multiple types of credentials including ArcotID QnA Password Kerberos (token verification only)
Each Credential is implemented as a separate module, DLL or SO, that is loaded dynamically
45
Arcot Confidential
Supports SASL during authentication The current SASL support is enabled via ASSP Supports SAML for returning successful authentication Currently, support for SAML is enabled via ASSP Supports SOAP 1.2 and Axis 2.0 for Web Services Available for Issuance and Authentication
46
Arcot Confidential
Built for high availability and reliability Stateless instances for ease of loadbalancing Failover at Database Level Backup database and database connection pooling supported
47
Arcot Confidential
Audit Logging enables tracking of all authentication attempts All authentication attempts, successes and failures are logged in database Multi-Level File Logging File logging with multi-level control with a fine-grain configuration Log Levels: Fatal, Warning, Info, Low
48
Arcot Confidential
Traveling user access Secure roaming access to download an ArcotID Authenticate a roaming user Roaming Questions and Answers UserID/Password Third party integrations for OTP
49
Arcot Confidential
Commonly used tables are cached in the servers Cache refresh is done via tool. Server restart is not required Refreshes cache for stored information such as System Configuration, Group, Sub-Group, File System Log Level, etc.
50
Arcot Confidential
Database Features
WebFort Server supports backup database and connection pooling to both primary and backup databases. The Minimum, Maximum and the Number of Connections to Increment can be configured at the server side. AutoRevert feature is available to connect back to the primary Db after a failover.
51
Arcot Confidential
Multi-DB Pooling
52
Arcot Confidential
WebFort Clients
Web
Authentication
VPN
WebFort Clients
Flash Client Native Client For Windows Java Signed Applet Java Unsigned Applet Embedded Client in Adobe Acrobat and Reader
55 Arcot Confidential
Flash Client
Flash Client Native Client Java Signed Applet Java Unsigned Applet Embedded Client in Adobe Acrobat and Reader
Uses the widely adopted Adobe Flash Player (version 9 or higher) installed in most browsers. Creates a secure Flash storage to store the ArcotID either persistently or per session. User experience is completely transparent during ArcotID authentication.
56
Arcot Confidential
Native Client
Flash Client Native Client Java Signed Applet Java Unsigned Applet Embedded Client in Adobe Acrobat and Reader
The native client for windows is an install package that includes the Arcot browser plug-in, Arcot Cryptographic Service Provider (CSP), and Arcot PKCS#11 module. Supported on Internet Explorer browser and can be embedded in Win32 applications.
57
Arcot Confidential
The signed java applet is an implementation of the ArcotID Client that can run in any web browser that contains a Java Virtual Machine (JVM) A security window is displayed when the signed java applet is invoked for the first time.
58
Arcot Confidential
The unsigned java applet is an implementation of the ArcotID Client that can run in any web browser that contains a Java Virtual Machine (JVM). When using the Arcot unsigned Java applet, the user will not be prompted with any security messages or warnings. Unsigned Java Applet cannot store ArcotID persistently.
59
Arcot Confidential
ArcotID Client functionality is embedded in the shipping versions of Acrobat 8 (and higher) and Adobe Reader 8 (and higher). This functionality enables ArcotID's to be used to authenticate to digitally sign PDF files using a Roaming Digital ID.
60
Arcot Confidential
WebFort Interfaces/SDK
WebFort: Interfaces/SDK
Proprietary: Java APIs
Client-Server architecture Proprietary (Binary Packet based) protocol WebServices interface (Java based) TCP Connection Pooling Database Connection Failover support
62
Arcot Confidential
63
Arcot Confidential
64
Arcot Confidential
65
Arcot Confidential
66
Arcot Confidential
67
Arcot Confidential
Contd
AuthXActionService upVerifyPassword aidVerifySignedChallenge authTokenVerify aidVerifySignedData aidGetChallenge qnaVerifyAnswers qnaGetQuestions authGetPAM
68
Arcot Confidential
HSM
Domain key
2. Send Signed challenge WebFort 4. WebFort sends security token User enters PIN Generate Private Key with PIN + data on wallet Sign challenge encrypted with private key
Bank
70
Arcot Confidential
72
Arcot Confidential
Creating a User
The Enrollment form screen is used to create a user who can then be assigned the role of an admin.
73
Arcot Confidential
74
Arcot Confidential
WebFort Configuration Domain Key Creation Server Protocol Setup Authentication Method Configuration Managing Credentials
Enable Credentials Disable Credentials Reset Credentials Revoke Credentials
75
Arcot Confidential
76
Arcot Confidential
77
Arcot Confidential
Authentication Configuration
Configuration for the various Authentication parameters such as ArcotID/QnA Authentication challenge timeout Auth token validity Max Auth attempts # questions asked and required to be correct
78
Arcot Confidential
Managing Credentials
Credentials can be temporarily disabled from the Disable Credentials screen Disabled credentials will fail authentication attempts To enable the credentials again use the Enable Credentials screen.
79
Arcot Confidential
80
Arcot Confidential
Issuance Configuration Managing ArcotID Profles Managing QnA Profiles Managing Password Profiles Assign Profiles
81
Arcot Confidential
The parameters for the ArcotID credential can be configured here, such as Key Strength Validity Start and End Date Default is Key strength of 1024 bits and 2 year validity.
82
Arcot Confidential
Parameters for the QnA based authentication can be stored here Minimum and Maximum QnA Case Sensitivity Store as SHA-1 hash
83
Arcot Confidential
The Minimum and Maximum length for the password can be set here.
84
Arcot Confidential
Assign Profile
The Profiles created in the earlier screens can be assigned to one of the two existing groups.
85
Arcot Confidential
Questions ?