Arcot WebFort Fundamentals

WebFort Topics
Security Challenges Addressed By WebFort Cryptographic Camouflage Using ArcotID WebFort Overview Architecture Features WebFort Clients Interfaces and SDK ArcotID Authentication using WebFort WebFort Administration Console

Arcot Confidential

Security Challenges Addressed By WebFort

Security Challenges Addressed By WebFort

Phishing Attacks Man-In-The-Middle (MITM) Key Loggers

Arcot Confidential

Phishing: Growing at 289% YOY

New Phishing Sites April 2005 to April 2006

Arcot Confidential

Phishing 1.0 A Common Attack

User gets an email apparently from their bank A new offer A security warning Threat of loss Request to enter personal information User clicks on link gets taken to phishing site Enters personal information Username / password Personal details DOB Account details

Arcot Confidential

Typical Solutions Against Phishing

Search and Destroy Banks search for sites that imitate their appearance and have them taken down Customer Education Security information advising against clicking on links Defeated by banks own marketing communications Site Authentication Shared secret for user to confirm that he is on the right site Page 1

Username

Page 2

Assurance Message

My Dogs Name is FIDO

Enter your password only if you recognize your Assurance Message Password
Forgot Password?

Arcot Confidential

Other Anti-Phishing Solutions

One Time Password [OTP] Generators Hardware tokens, scratch out lists, SMS Even if entered on wrong site, not usable after X seconds Partial Passwords Enter only part of the password 1st, 4th, 7th and 9th letters Enter select elements of a m*n matrix
- E.g. enter Row 2 Column 4, Row 3 Column 9 and Row 5 Column 7

Browser Enhancements Toolbars EV SSL Certs

8 Arcot Confidential

Phishing 2.0: Man-in-the-Middle

User clicks on link in a phishing email goes to MITM site MITM site connects with Bank and gets real pages MITM replays bank pages to User and User responses to Bank None of the existing solutions protect against MITM ! Only ArcotID can solve MITM
3. Verification Dialog 4. Verification Dialog 1. User-id
Man-in-the-Middle Attacker

2. User-id

Real Bank Site

@ User

Arcot Confidential

ArcotIDTM: Detects and Stops MITM

Safe End User MITM Spoofed Website
1. Send UserID 3. Request Page

Target Website

SSL
5. Provide SPOOFED Page

2. Capture UserID

SSL
4. Provide Requested Page

6. UNTRUSTED Site Rejection Match Domain with Trusted Site List Decline if matching fails Two-Factor Strong Authentication

10

Arcot Confidential

KeyLogger: Prevalent Attack

Rogue applications that capture key strokes and mouse clicks Can capture sensitive information such as: Account passwords Credit Card numbers

11

Arcot Confidential

Scrambled Keypad
Works on Anti-Keylogger technology Uses Virtual scrambled keypad Position of keys changes for every session and optionally for every keystroke Patented by Arcot

12

Arcot Confidential

Solving Security Challenges With Cryptographic Camouflage Using ArcotID

ArcotID: Patented Technology

Cryptographic Camouflage
Private Key Protection without hardware

Arcot Patented Technology DOI Bookmark http://doi.ieeecomputersociety.org/10.1109/SECPRI.1999.766915

14

Arcot Confidential

Cryptographic Camouflage

15

Arcot Confidential

Cryptographic Camouflage
Private Key Protection

Key Rule: Hex, Begins and Ends with 1

Standard Software Key Container

Protected Key:

Brute Force Library Attack

6 digit PIN, 1 million results

1E459FC479C3B41

X^b19(#h7CD39J5 156g*%k75y5B$ 17fn;hff43LqqkH xVI39#T\114ke 1E459FC479C3B41 hKDU&$g752NJHVD 1djfHBD7549hgd1

Patented Cryptographic Camouflage Patented Cryptographic Camouflage ArcotID Software Key Container
Protected Key:

Each is a plausible result. The only way to determine the correct key is to sign a challenge and send to the Authentication Server. If not the right key the invalid attempt counter is incremented.

Brute Force Library Attack

6 digit PIN, 1 million results

1E459FC479C3B41

1CE59A451B257C1 1DC1A4596B79B21 159CA7C8439BA31 1A964942B5AC5B1 1E459FC479C3B41 17675ABC59DE371 1996C2A7EF64DA1

16

Arcot Confidential

ArcotID : Workflow
An unauthorized person gains access to a Users desktop
If a

17

Arcot Confidential

ArcotID : Workflow
In his attempt to logon he If a challenged by the ArcotID is He assumes that this device is only protected by a password or PIN

18

Arcot Confidential

ArcotID : Workflow
..but it is also protected by Cryptographic Camouflage
If a

19

Arcot Confidential

ArcotID : Workflow

The hacker launches a offline brute force

If a

attack on the ArcotID

20

Arcot Confidential

ArcotID : Workflow
The brute force attack looks for the combination of characters that will produce
456789 567890 678901 789012 890123

If a

a well formed mathematically correct decrypted key

123456 234567 345678 456789 567890 678901 789012 890123

21

Arcot Confidential

ArcotID : Workflow
To his surprise... every combination produces what appears to be a
567890 678901 789012 890123

If a

valid mathematically correctly formed key

123456 234567 345678 456789 567890 678901 789012 890123

22

Arcot Confidential

ArcotID : Workflow
In fact, a 6 digit numeric PIN would produce 1 million keys
123456 234567 345678 456789 567890 678901 789012 890123

If a

123456 234567 345678 456789 567890 678901 789012 890123

23

Arcot Confidential

ArcotID : Workflow
The only way to determine which one is real
345678 456789 567890 678901 789012 890123

is to log onto the online application .and try it.

If a

123456 234567 345678 456789 567890 678901 789012 890123

24

Arcot Confidential

ArcotID : Workflow
After 3 attempts the ArcotID is disabled!
345678 456789 567890 678901 789012 890123

If a

123456 234567 345678 456789 567890 678901 789012

x
and an email alert is sent for security
Arcot Confidential

x
890123

25

ArcotID: Versatile
ArcotID Storage:
Data file loaded onto a device Data file loaded onto USB drive for portability Downloaded for on-demand roaming access
- PC, Blackberry or Mobile Phone - Optional Device-locking to a particular system

Arcot Client Software:

Flash Implementation Java Applet (signed or unsigned) Native PC Part of Adobe Acrobat 8 and Reader 8

Access anywhere, anytime (future)

- PC, Mobile Phones, Blackberry, PDA

26

Arcot Confidential

ArcotID One Credential

Multiple Uses
Strong Authentication PKI encrypted e-Statements Digital Signing

Web Portals VPNs

PDFs email MS Office

Arcot Confidential

27

ArcotID: Cryptographic Camouflage

Since the invention of public key cryptography twenty-five years ago, people have been struggling to secure the private key without the assistance of hardware. Arcot's innovative Cryptographic Camouflage* has solved this problem. Finally there is a cost-effective and convenient means to strongly authenticate users and transactions over the Internet without the need for cumbersome hardware.

Martin E. Hellman
Professor Emeritus (Inventor of PKI) Stanford University

* US Patent 6,170,058. Other Arcot Patents include 6,209,102, 6,263,446, 6,895,391, 6,908,030, 6,928,427, 6,959,303, 6,956,950.

28

Arcot Confidential

WebFort Overview

WebFort Introduction
WebFort is Universal Authentication server ArcotID authentication UserID/Password Q and A One Time Password Custom authentication schemes WebFort is 100% software based solution Single Centralized Administration Seamless Integration with existing user credential repositories Support for Open Standards FFIEC, SOX and HIPAA Compliant
30 Arcot Confidential

WebFort : The Universal Authentication Server

WebFort

Administration API Arcot Administration Console

31

Arcot Confidential

WebFort Enterprise Solutions

No additional effort for integration with VPN Infrastructure

Seamlessly interoperable with SignFort for digital signing solutions

32

Arcot Confidential

WebFort Platforms Supported

Operating Systems Microsoft Windows Server 2003 Sun Solaris 10 / 9 Databases Oracle 10g / 9i SQL Server 2000 / 2005 Application Servers TomCat 5.x WebSphere 6. x Third Party JDK 1.5.0x / 1.4.2x
33 Arcot Confidential

WebFort Architecture

WebFort Architecture: Authenticating Credentials

Designed for Scalability and Performance WebFort server is a Stateless server No user data is maintained in-memory Instead, an Encrypted Token with timestamp is generated Authentication Token generated for Single-Sign On (SSO) integration Proprietary algorithm

35

Arcot Confidential

WebFort Architecture: Issuing Credentials

Issues multiple credentials including ArcotIDs, Questions-Answers (QnA) and UserID/Password Supports Personal Assurance Message (PAM) to increase the user confidence Lifecycle Management capability for credentials Multiple Interfaces for Issuance: Java APIs and Web Services

36

Arcot Confidential

WebFort Architecture
Framework is the backbone for all Pluggable common functionality: Caching, Database Architecture failover, interface with authentication minimizes impact on protocols and authentication mechanisms existing components

Authentication Protocols

ASSP
Proprietary

ArcotID Authentication Service Framework QnA

Password

RADIUS OATH WebFort Server WebFort

Server Handles Bootstrapping, Threading and Communication Management Each authentication protocol and mechanism interfaces with the Authentication Service Framework
Arcot Confidential

Kerberos

37

Authentication Mechanisms

Single System Deployment

Single System Application Server Administration Console Issuance Web Service Issuance Java SDK Authentication Java SDK Authentication Web Service KEY
Prerequisite component WebFort provided component Sample JSP or customer app 38 Arcot Confidential

Web Services Client Issuance Web Service API Issuance Web App Login Web App Authentication Web Service API

JDBC Driver

SQL DB

WebFort Server

JRE / JDK ODBC Client ODBC Driver

Typical Deployment with Java APIs

System #3 Application Server Issuance Web App Issuance Java SDK Authentication Java SDK Login Web App JDBC Driver JRE / JDK System #2 Application Server Administration Console SQL DB System #1

WebFort Server
JRE JDBC Driver ODBC Client ODBC Driver KEY
Prerequisite component WebFort provided component Sample JSP or customer app

39

Arcot Confidential

Typical Deployment with Web Services

System #3 Application Server Issuance Web App Issuance Web Service API Authentication Web Service API Login Web App Web Services Client JRE / JDK System #2 Application Server Administration Console Issuance Web Service Authentication Web Service SQL DB System #1

WebFort Server
JRE / JDK JDBC Driver ODBC Client ODBC Driver KEY
Prerequisite component WebFort provided component Sample JSP or customer app

40

Arcot Confidential

WebFort Integration With Client Application

41

Arcot Confidential

WebFort Features

WebFort Server Features

Multiple authentication protocols Multiple authentication mechanisms Support for open standards High Availability and Reliability Audit Logging Roaming services Data Caching

43

Arcot Confidential

WebFort Features: Multiple Authentication Protocols

Features Multiple authentication protocols Multiple authentication mechanisms Support for open standards RAS Logging Roaming services Data Caching

Support for multiple authentication protocols for ease of deployment in a variety of scenarios Supports Proprietary and Adobe Signature Service Protocol (ASSP) Support for RADIUS and OATH

44

Arcot Confidential

WebFort Features: Multiple Authentication Mechanisms

Features Multiple authentication protocols Multiple authentication mechanisms Support for open standards RAS Logging Roaming services Data Caching

WebFort supports multiple types of credentials including ArcotID QnA Password Kerberos (token verification only)
Each Credential is implemented as a separate module, DLL or SO, that is loaded dynamically

45

Arcot Confidential

WebFort Features: Open Standards

Features Multiple authentication protocols Multiple authentication mechanisms Support for open standards RAS Logging Roaming services Data Caching

Supports SASL during authentication The current SASL support is enabled via ASSP Supports SAML for returning successful authentication Currently, support for SAML is enabled via ASSP Supports SOAP 1.2 and Axis 2.0 for Web Services Available for Issuance and Authentication

46

Arcot Confidential

WebFort Features: RAS

Features Multiple authentication protocols Multiple authentication mechanisms Support for open standards RAS Logging Roaming services Data Caching

Built for high availability and reliability Stateless instances for ease of loadbalancing Failover at Database Level Backup database and database connection pooling supported

47

Arcot Confidential

WebFort Features: Logging

Features Multiple authentication protocols Multiple authentication mechanisms Support for open standards RAS Logging Roaming services Data Caching

Audit Logging enables tracking of all authentication attempts All authentication attempts, successes and failures are logged in database Multi-Level File Logging File logging with multi-level control with a fine-grain configuration Log Levels: Fatal, Warning, Info, Low

48

Arcot Confidential

WebFort Features: Roaming Services

Features Multiple authentication protocols Multiple authentication mechanisms Support for open standards RAS Logging Roaming services Data Caching

Traveling user access Secure roaming access to download an ArcotID Authenticate a roaming user Roaming Questions and Answers UserID/Password Third party integrations for OTP

49

Arcot Confidential

WebFort Features: Data Caching

Features Multiple authentication protocols Multiple authentication mechanisms Support for open standards RAS Logging Roaming services Data Caching

Commonly used tables are cached in the servers Cache refresh is done via tool. Server restart is not required Refreshes cache for stored information such as System Configuration, Group, Sub-Group, File System Log Level, etc.

50

Arcot Confidential

Database Features
WebFort Server supports backup database and connection pooling to both primary and backup databases. The Minimum, Maximum and the Number of Connections to Increment can be configured at the server side. AutoRevert feature is available to connect back to the primary Db after a failover.

51

Arcot Confidential

Multi-DB Pooling

52

Arcot Confidential

WebFort Clients

ArcotID Client Capabilities

Flash Client ArcotID Roaming Download ArcotID Saved to Desktop ArcotID Saved to USB Drive Unsigned Java Applet Signed Java Applet Native Embedded in Adobe Reader

Web
Authentication

VPN

Digitally Sign Web Forms Digital Signing and Encryption

CSP (MS Office) & PKCS#11 (PDF)

Digital Signing w/ Roaming IDs Device Lock ArcotID

Stored in Flash secure object store, not available to copy onto USB, floppy, CD, etc Only for SSL connections through a web browser Can use an ArcotID stored on a USB drive, but can not save to USB 54 Arcot Confidential

WebFort Clients
Flash Client Native Client For Windows Java Signed Applet Java Unsigned Applet Embedded Client in Adobe Acrobat and Reader
55 Arcot Confidential

Flash Client
Flash Client Native Client Java Signed Applet Java Unsigned Applet Embedded Client in Adobe Acrobat and Reader

Uses the widely adopted Adobe Flash Player (version 9 or higher) installed in most browsers. Creates a secure Flash storage to store the ArcotID either persistently or per session. User experience is completely transparent during ArcotID authentication.

56

Arcot Confidential

Native Client
Flash Client Native Client Java Signed Applet Java Unsigned Applet Embedded Client in Adobe Acrobat and Reader

The native client for windows is an install package that includes the Arcot browser plug-in, Arcot Cryptographic Service Provider (CSP), and Arcot PKCS#11 module. Supported on Internet Explorer browser and can be embedded in Win32 applications.

57

Arcot Confidential

Java Signed Applet Client

Flash Client Native Client Java Signed Applet Java Unsigned Applet Embedded Client in Adobe Acrobat and Reader

The signed java applet is an implementation of the ArcotID Client that can run in any web browser that contains a Java Virtual Machine (JVM) A security window is displayed when the signed java applet is invoked for the first time.

58

Arcot Confidential

Java Unsigned Applet Client

Flash Client Native Client Java Signed Applet Java Unsigned Applet Embedded Client in Adobe Acrobat and Reader

The unsigned java applet is an implementation of the ArcotID Client that can run in any web browser that contains a Java Virtual Machine (JVM). When using the Arcot unsigned Java applet, the user will not be prompted with any security messages or warnings. Unsigned Java Applet cannot store ArcotID persistently.

59

Arcot Confidential

Embedded Client in Adobe Acrobat and Reader

Flash Client Native Client Java Signed Applet Java Unsigned Applet Embedded Client in Adobe Acrobat and Reader

ArcotID Client functionality is embedded in the shipping versions of Acrobat 8 (and higher) and Adobe Reader 8 (and higher). This functionality enables ArcotID's to be used to authenticate to digitally sign PDF files using a Roaming Digital ID.

60

Arcot Confidential

WebFort Interfaces/SDK

WebFort: Interfaces/SDK
Proprietary: Java APIs
Client-Server architecture Proprietary (Binary Packet based) protocol WebServices interface (Java based) TCP Connection Pooling Database Connection Failover support

Adobe Arcot Signing Protocol (ASSP support)

WebServices interface Uses SOAP, SAML, SASL Use gSOAP and openSAML

62

Arcot Confidential

WebFort Client-Server Model

63

Arcot Confidential

WebFort Authentication SDK

The SDK provided by the WebFort validates the user credentials supported. The following are few of the operations that can be carried out using authentication SDK:
Verify the user credentials for supported mechanisms; single step (UserID/Password) or multi step (ArcotID, QnA). Provide the Authentication Token after successful authentication. Verify the Authentication tokens.

64

Arcot Confidential

WebFort Issuance SDK

The Issuance SDK package takes care of the initial credentials provisioning to the users. The following are few of the operations that can be carried out using issuance SDK:
Issue the credentials to the users Perform the credential life cycle management operations - Create - Revoke - Reissue - Delete Perform the user management - Create the user - Update the user

65

Arcot Confidential

WebFort: Web Services

Provides Issuance and Authentication capabilities Platform independent Supports industry standards like SOAP 1.2 and Axis 2.0 Wrapper around Issuance and Authentication Java APIs Ease of deployment Web application

66

Arcot Confidential

List of Web Services With WebFort And Their Associated Operations

AuthAccessorService authGetArcotID ArcotWebFortWebService receivePAM sendArcotIDResponse receiveArcotIDWallet verifyToken receiveArcotIDInfo receiveArcotIDChallenge

67

Arcot Confidential

Contd
AuthXActionService upVerifyPassword aidVerifySignedChallenge authTokenVerify aidVerifySignedData aidGetChallenge qnaVerifyAnswers qnaGetQuestions authGetPAM

68

Arcot Confidential

ArcotID Authentication Using WebFort

ArcotID and WebFort Solution Overview

ArcotID 1. Server sends Login Page containing challenge

HSM
Domain key

2. Send Signed challenge WebFort 4. WebFort sends security token User enters PIN Generate Private Key with PIN + data on wallet Sign challenge encrypted with private key

Bank

3. WebFort verifies signed challenge

70

Arcot Confidential

WebFort Administration Console

AdminConsole: Self Administration

Features

Self Administration Server Configuration Administration Reports High Interoperability Logging

Privileges and Policies Built in hierarchy

- Master Administrator System boot strapping, global administrator management - Global Administrator Across product suite administration, User Group management, Group administrator/CSR management. - Group Administrator CSR management, Group configuration management, Group report generation - Customer Service Representative (CSR) End User management, day to day operation handling

All admin functionality is controlled by privilege policies

- Different privilege policies for different level of admin

72

Arcot Confidential

Creating a User
The Enrollment form screen is used to create a user who can then be assigned the role of an admin.

73

Arcot Confidential

Create Admin and assign Policy

To create a Global admin login to the Master Admin screen and assign the registered user to the Global Admin Policy To create a Group or CSR admin login as a Global Admin and assign Group or CSR Policy.

74

Arcot Confidential

Admin Console: Server Configuration Administration

Features

Self Administration Server Configuration Administration Reports High Interoperability Logging

WebFort Configuration Domain Key Creation Server Protocol Setup Authentication Method Configuration Managing Credentials
Enable Credentials Disable Credentials Reset Credentials Revoke Credentials

75

Arcot Confidential

Generate WebFort Domain Key

For every installation of the WebFort server, a domain certificate and key needs to be generated. The screen shown is available at the Master Admin level to create the domain key.

76

Arcot Confidential

Server Protocol Setup

2 ports can be configured here Native and Admin ports Native Protocol Module port is used by clients to connect to the WebFort server during authentication requests Admin port is used by the aradmin tool for refresh and shutdown requests.

77

Arcot Confidential

Authentication Configuration
Configuration for the various Authentication parameters such as ArcotID/QnA Authentication challenge timeout Auth token validity Max Auth attempts # questions asked and required to be correct

78

Arcot Confidential

Managing Credentials
Credentials can be temporarily disabled from the Disable Credentials screen Disabled credentials will fail authentication attempts To enable the credentials again use the Enable Credentials screen.

79

Arcot Confidential

Resetting and Revoking Credentials

The Reset Credential page can be used to reset the ArcotID password or the User Name/Password. An ArcotID can be revoked using the Revoke Credential screen. Revoked credentials cannot be enabled again.

80

Arcot Confidential

Admin Console: Server Configuration Administration

Features

Self Administration Server Configuration Administration Reports High Interoperability Logging

Issuance Configuration Managing ArcotID Profles Managing QnA Profiles Managing Password Profiles Assign Profiles

81

Arcot Confidential

ArcotID Credential Profile

The parameters for the ArcotID credential can be configured here, such as Key Strength Validity Start and End Date Default is Key strength of 1024 bits and 2 year validity.

82

Arcot Confidential

QnA Credential Profile

Parameters for the QnA based authentication can be stored here Minimum and Maximum QnA Case Sensitivity Store as SHA-1 hash

83

Arcot Confidential

Password Credential Profile

The Minimum and Maximum length for the password can be set here.

84

Arcot Confidential

Assign Profile

The Profiles created in the earlier screens can be assigned to one of the two existing groups.

85

Arcot Confidential

Questions ?

Arcot WebFort Fundamentals