© 2004 AladdinJuly 20, 2004

© 2004 Aladdin

IDENTITY MANAGEMENTIDENTITY MANAGEMENTThe Power of Digital CredentialsThe Power of Digital Credentials

Daniel Pfeifle, Director of National Accounts, eTokenOffice: 847.637.4003 Email:danp@ealaddin.com

Aladdin Knowledge SystemsEducause PKI SummitAugust 2004

© 2004 Aladdin

Today’s DiscussionToday’s Discussion

1.1. Introduction – Who is Aladdin?Introduction – Who is Aladdin?

2.2. ““Who” Tried To Access My Network?Who” Tried To Access My Network?

3.3. Identity and Access Management (What Is It?)Identity and Access Management (What Is It?)

4.4. The Power of Digital CredentialsThe Power of Digital Credentials

5.5. The Pitfalls of Digital CredentialsThe Pitfalls of Digital Credentials

6.6. The Pain TodayThe Pain Today

7.7. Aladdin Product SuiteAladdin Product Suite

8.8. Concept of Federated IdentityConcept of Federated Identity

9.9. The Challenges of Federated IdentitiesThe Challenges of Federated Identities

10.10.SummarySummary

© 2004 Aladdin

We strive to be the leading provider of security We strive to be the leading provider of security

solutions used by our customers to:solutions used by our customers to:• protect digital assetsprotect digital assets• enable secure businessenable secure business• maximize the benefits from creating, selling, maximize the benefits from creating, selling,

distributing and using digital contentdistributing and using digital content

The Aladdin Vision and Overview

Employees: 360 Worldwide

Segments: Software Security DRM, Enterprise Security

NASDAQ: ALDN (SINCE 1993)

Founded: 1985

Sales: $54.7 Million (2003); $33.4 Million (H1/2004)

Vision

© 2004 Aladdin

Aladdin Around the Globe

Customers in 100 countries

Nine global subsidiaries

Distributors in 50 countries on 5 continents

© 2004 Aladdin

“Who” Tried to Access My Network?

© 2004 Aladdin

We All Have a Bone In This Game?We All Have a Bone In This Game?

AuthenticationAuthenticationParties can identify which Dog they’re dealing withParties can identify which Dog they’re dealing with

Authorization Authorization Dog gains permission to access toys that are rightfully theirsDog gains permission to access toys that are rightfully theirs

ConfidentialityConfidentialityInformation is accessible only to the intended dogInformation is accessible only to the intended dog

Data IntegrityData Integrity Information in a transaction is unalteredInformation in a transaction is unaltered

Proof of Source Proof of Source Public/private key encryption to verify the source of a documentPublic/private key encryption to verify the source of a document

Non-RepudiationNon-RepudiationBoth the Dog, and iPets, are verified with public/private encryptionBoth the Dog, and iPets, are verified with public/private encryption

© 2004 Aladdin

Identity & Access ManagementIdentity & Access Management“What is it”?“What is it”?

3 Critical Elements of Identity & Access Management3 Critical Elements of Identity & Access Management

•Authentication:

The ability to validate or prove the identity of a user or transactionDigital Credentials in the form of passwords, digital certificates, smartcards, tokens, and biometrics (These provide the basis of which the user will be known in the world) Backbone of authentication is based on trust.

•Access Management:Who gets to access what company resources or complete/execute a transaction?Access/authorization can have many layers across an enterprise. Policy defines who gets to access to “x” or execute “x” transaction

•Administration:Management of identities and/or transactions must administered (provisioned, revoked, audited) across the enterprise or platform

© 2004 Aladdin

The Power Digital CredentialsThe Power Digital Credentials

• Provide the ability for people and organizations to Provide the ability for people and organizations to interact/transact over the internetinteract/transact over the internet

• Offer the possibility of providing more secure platforms for Offer the possibility of providing more secure platforms for transacting and authenticationtransacting and authentication

• Legislation such as ESIGNLegislation such as ESIGN (Electronic Signature in Global & National (Electronic Signature in Global & National

Commerce Act)Commerce Act) validated “digital signatures” as a legal form of validated “digital signatures” as a legal form of transacting and authenticationtransacting and authentication

• Flexibility in the type of form factor that can be used to Flexibility in the type of form factor that can be used to “create” your digital credential:“create” your digital credential:• PasswordsPasswords• Digital certificates (PKI)Digital certificates (PKI)• Smartcards (Traditional and USB)Smartcards (Traditional and USB)• OTP (One Time Password Fobs & Tokens)OTP (One Time Password Fobs & Tokens)• BiometricsBiometrics

© 2004 Aladdin

The Pitfalls of Digital CredentialsThe Pitfalls of Digital Credentials

• How do I know “who” is trying to access my network or How do I know “who” is trying to access my network or transact with my platform?transact with my platform?

• No standardization of “what” constitutes a digital signature?No standardization of “what” constitutes a digital signature?

• Legacy application limitationsLegacy application limitations

• End-user confusionEnd-user confusion

• Flexibility in the type of form factor that can be used as or to Flexibility in the type of form factor that can be used as or to “create” your digital credential:“create” your digital credential:

• PasswordsPasswords

• Digital certificates (PKI)Digital certificates (PKI)

• Smartcards (Traditional and USB)Smartcards (Traditional and USB)

• OTP (One Time Password Fobs & Tokens)OTP (One Time Password Fobs & Tokens)

• BiometricsBiometrics

• Where is the First Court Case?Where is the First Court Case?

© 2004 Aladdin

The Pain TodayThe Pain Today

• Web Based PasswordsWeb Based Passwords• Application Based PasswordsApplication Based Passwords• PKIPKI• X.509X.509• Biometrics Biometrics • OTP TokensOTP Tokens• Soft TokensSoft Tokens

How Do I Manage Multiple Disparate Identities...

© 2004 Aladdin

SSO- Single Sign On

SSO- Single Sign On

Secondary Logons CitrixCitrixUnixUnix Main Frame

Main FrameWebWeb

Any Logon VPNVPN MF LogonMF

LogonLaptop/ PC EncryptionLaptop/ PC Encryption

Network Logon

Network Logon

SecureeMail

SecureeMail WebWeb

Across Disparate Platforms...Across Disparate Platforms...

PKI & CertificateAuthentication

PKI & CertificateAuthentication

Password Authentication

Password Authentication

Key Generation

Key Generation

Authentication credential Caching

© 2004 Aladdin

•Easy to Implement

•Easy for the End-User

•Easy on the Budget

Authentication Solutions Must Be:

The Goal: ‘EASY STREET’The Goal: ‘EASY STREET’

•Easy to Manage

© 2004 Aladdin

The Market NeedsEnhanced Security: Strong user authentication and information confidentiality is becoming a critical need for protecting organizational networks and digital information.

Improved password and identity management: Passwords are becoming an increased security problem with high maintenance & support costs.

Mobility of keys, profiles and certificates: Enabling users to carry their authentication credentials with them for easy access and convenience.

IDC, June 2004

© 2004 Aladdin

• Convenient & cost-effective USB with smart card technology

• Enables two-factor user authentication

• Stores passwords, private keys and digital certificates

• Enables rapid rollout of Public Key Infrastructure (PKI)

• Integrates seamlessly with all

major PKI and smart card standards

© 2004 Aladdin

eToken R2

eToken PRO

eToken NG-OTP• Industry first USB smart card Token with (OTP)

One-Time Password Functionality

• Based on eToken PRO technology

• Stores OTP data securely within the smart card

• Integrated with VeriSign's Universal Strong

Authentication (OATH)

• PKI compliant

• 128 Bit DESX for strong encryption• 8/16K-Byte of secured memory• Key & certificate storage for PKI support• Unique protected ID of 64 bits• Compatible implementation with smart cards

• True reader-less smart card• Cryptography in hardware RSA1024, SHA-1 Hashing

Algorithm• RSA private keys never leave the token

© 2004 Aladdin

eToken For PKI Solutions eToken For Network Logon

eToken Simple Sign On eToken for WSO Solutions

How We Categorize eToken How We Categorize eToken Enterprise SolutionsEnterprise Solutions

© 2004 Aladdin

eToken ArchitectureeToken Architecture

© 2004 Aladdin

• Robust management system enabling deployment, provisioning and

maintenance of security tokens, smartcards and ID badges

• Seamlessly folds the process into existing Microsoft Active Directory

• Supports a comprehensive range of security applications (i.e.

Network Logon, VPN, Web Access, Secure eMail, Data Encryption

and others)

eToken TMS

© 2004 Aladdin

Concept of Federated Identity?Concept of Federated Identity?

• Disparate identity management systems have created Disparate identity management systems have created platforms that are not natively interoperable; i.e. digital platforms that are not natively interoperable; i.e. digital credentials are not uniformly accepted and hence are limited credentials are not uniformly accepted and hence are limited in their portabilityin their portability

• The concept of Federated Identity makes identity and access The concept of Federated Identity makes identity and access portable across autonomous domains by creating an portable across autonomous domains by creating an accepted trust platformaccepted trust platform

• The goal is to provide an interoperability system analogous The goal is to provide an interoperability system analogous to a Drivers License; one state provides the credential that is to a Drivers License; one state provides the credential that is trusted in all states with mutually agreed upon standards, trusted in all states with mutually agreed upon standards, technology, and legal acceptancetechnology, and legal acceptance

© 2004 Aladdin

Business Drivers for Federated Identity?Business Drivers for Federated Identity?

• User ConvenienceUser ConvenienceElimination of multiple passwords via an SSO platformElimination of multiple passwords via an SSO platform

• Risk ManagementRisk ManagementThe ability to create trust across disparate organizations where user The ability to create trust across disparate organizations where user convenience is balanced with strong securityconvenience is balanced with strong security

• Business EnablementBusiness EnablementEnables business partners within the Federated Identity network safely Enables business partners within the Federated Identity network safely share sensitive information to collaborate and serve a larger customer share sensitive information to collaborate and serve a larger customer populationpopulation

• Cost ReductionCost ReductionBy utilizing a centralized infrastructure/accepted platforms the cost of By utilizing a centralized infrastructure/accepted platforms the cost of managing and supporting different technologies will be significantly managing and supporting different technologies will be significantly reduced.reduced.

© 2004 Aladdin

Challenges of Federated IdentityChallenges of Federated Identity

• Liability TransferLiability TransferThe identity provider, or authenticator, financially backs its identity assertions, The identity provider, or authenticator, financially backs its identity assertions, effectively saying to a relying party, "I guarantee you this is Dan; if I'm wrong, I pay effectively saying to a relying party, "I guarantee you this is Dan; if I'm wrong, I pay you. Agreement upon who accepts this liability and is liable to pay in cases of fraud you. Agreement upon who accepts this liability and is liable to pay in cases of fraud may cause for a breakdown of the systemmay cause for a breakdown of the system

• What Security Gains Are Really Made?What Security Gains Are Really Made?FI doesn’t necessitate better encryption or authentication in fact it still relies on a FI doesn’t necessitate better encryption or authentication in fact it still relies on a username/password platform. Have we done a good enough job protecting peoples username/password platform. Have we done a good enough job protecting peoples privacy with our current systems? It could be argued that by implementing SSO once privacy with our current systems? It could be argued that by implementing SSO once someone as my “password” they would gain access and could impersonate me to someone as my “password” they would gain access and could impersonate me to ALL trusted accounts. ALL trusted accounts.

• Subjective PartnershipsSubjective PartnershipsWhat if a customer does not want to use a vendor in the FI alliance? Do I as a What if a customer does not want to use a vendor in the FI alliance? Do I as a customer want my data shared with other FI partners? What are the risks of customer want my data shared with other FI partners? What are the risks of targeted marketing (spam) and limiting choices to the customer in obtaining targeted marketing (spam) and limiting choices to the customer in obtaining competitive pricing?competitive pricing?

• Simplified Sign OnSimplified Sign OnHow does the consumer truly benefit if the “opt out” aspect is eliminated, e.g. How does the consumer truly benefit if the “opt out” aspect is eliminated, e.g. Microsoft Passport?Microsoft Passport?

© 2004 Aladdin

SummarySummary

• Digital Credentials are the prerequisite for access and identity Digital Credentials are the prerequisite for access and identity managementmanagement

• Digital Identities must be seamlessly and securely managed across Digital Identities must be seamlessly and securely managed across applicationsapplications

• Legal, social and regulatory trends have raised the bar for Legal, social and regulatory trends have raised the bar for protecting critical infrastructure, networks and identities. Federated protecting critical infrastructure, networks and identities. Federated Identity is one aspect of a sophisticated challenge but is it the Identity is one aspect of a sophisticated challenge but is it the solution for everyone?solution for everyone?

• All authentication solutions must be judged for ease in All authentication solutions must be judged for ease in implementation, manageability, cost and end-user convenienceimplementation, manageability, cost and end-user convenience

© 2004 Aladdin

© 2004 Aladdin

Major Product Certifications

Customers

Partners

Sample eToken Partners & Customers