2 webfort fundamentals
TRANSCRIPT
Arcot WebFort Fundamentals
2 Arcot Confidential
WebFort Topics
Security Challenges Addressed By WebFort
Cryptographic Camouflage Using ArcotID
WebFort Overview
Architecture
Features
WebFort Clients
Interfaces and SDK
ArcotID Authentication using WebFort
WebFort Administration Console
Security Challenges Addressed By WebFort
4 Arcot Confidential
Security Challenges Addressed By WebFort
Phishing Attacks
Man-In-The-Middle (MITM)
Key Loggers
5 Arcot Confidential
Phishing: Growing at 289% YOY
New Phishing Sites – April 2005 to April 2006
6 Arcot Confidential
Phishing 1.0 – A Common Attack
User gets an email –apparently from their bank• A new offer• A security warning• Threat of loss
Request to enter personal informationUser clicks on link – gets taken to phishing siteEnters “personal information”• Username / password• Personal details – DOB• Account details
7 Arcot Confidential
Typical Solutions Against Phishing
Search and Destroy• Banks search for sites that
imitate their appearance and have them taken down
Customer Education• Security information advising
against clicking on links• Defeated by banks own
marketing communicationsSite Authentication• “Shared secret” for user to
confirm that he is on the right site
Username
Page 1
Assurance Message
My Dog’s Name is FIDO
Enter your password only if you recognize your Assurance Message
Password
Forgot Password?
Page 2
8 Arcot Confidential
Other Anti-Phishing Solutions
One Time Password [OTP] Generators• Hardware tokens, scratch out lists, SMS• Even if entered on wrong site, not usable after X
secondsPartial Passwords• Enter only part of the password – 1st, 4th, 7th and 9th
letters• Enter select elements of a m*n matrix
- E.g. enter Row 2 Column 4, Row 3 Column 9 and Row 5 Column 7
Browser Enhancements• Toolbars• EV SSL Certs
9 Arcot Confidential
Phishing 2.0: Man-in-the-Middle
User clicks on link in a phishing email – goes to MITM siteMITM site connects with Bank and gets real pagesMITM replays bank pages to User and User responses to BankNone of the existing solutions protect against MITM !Only ArcotID can solve MITM
@
Real Bank Site
1. User-id
2. User-id
3. VerificationDialog
Man-in-the-MiddleAttacker
4. Verification Dialog
User
10 Arcot Confidential
ArcotIDTM: Detects and Stops MITM
Match Domain with Trusted Site List
Decline if matching fails
Two-Factor Strong Authentication
Safe End User MITM – Spoofed Website Target Website
1. Send UserID 3. Request Page
4. Provide Requested Page
2. Capture UserID
5. Provide SPOOFED Page
6. UNTRUSTED Site Rejection
SSL SSL
11 Arcot Confidential
KeyLogger: Prevalent Attack
Rogue applications that capture key strokes and mouse clicks
Can capture sensitive information such as:• Account passwords• Credit Card numbers
12 Arcot Confidential
Scrambled Keypad
Works on Anti-Keyloggertechnology
Uses Virtual scrambled keypad
Position of keys changes for every session and optionally for every keystroke
Patented by Arcot
Solving Security Challenges With Cryptographic Camouflage Using ArcotID
14 Arcot Confidential
ArcotID: Patented Technology
Cryptographic CamouflagePrivate Key Protection without hardware
Arcot Patented Technology
DOI Bookmarkhttp://doi.ieeecomputersociety.org/10.1109/SECPRI.1999.766915
15 Arcot Confidential
Cryptographic Camouflage
16 Arcot Confidential
1CE59A451B257C11DC1A4596B79B21159CA7C8439BA311A964942B5AC5B11E459FC479C3B4117675ABC59DE3711996C2A7EF64DA1
1CE59A451B257C11DC1A4596B79B21159CA7C8439BA311A964942B5AC5B11E459FC479C3B4117675ABC59DE3711996C2A7EF64DA1
StandardSoftware
KeyContainer
X^b19(#h7CD39J5156g*%k75¤»y5B$17fn;hff43LqqkH◊≠xVI39#T\114ke1E459FC479C3B41hKDU&$g752NJHVD1djfHBD7549hgd1
●●●
●●●
●●●
Key Rule: Hex, Begins and Ends with 1
●●●
Brute ForceLibrary Attack
Brute ForceLibrary Attack
Each is a plausible result.
The only way to determine the correct key is to sign a challenge and send to the Authentication Server.
If not the right key… the invalid attempt counter is incremented.
X^b19(#h7CD39J5156g*%k75¤»y5B$17fn;hff43LqqkH◊≠xVI39#T\114ke1E459FC479C3B41hKDU&$g752NJHVD1djfHBD7549hgd1
ArcotIDSoftware
KeyContainer
6 digit PIN,1 million results
6 digit PIN,1 million resultsProtected Key:
1E459FC479C3B41
Protected Key:1E459FC479C3B41
1E459FC479C3B41
Cryptographic Camouflage Private Key Protection
Patented “Cryptographic Camouflage”Patented “Cryptographic Camouflage”
17 Arcot Confidential
An unauthorized persongains access to a User’s desktop
If a
ArcotID : Workflow
18 Arcot Confidential
In his attempt to logonhe is challenged by the ArcotIDIf a
He assumes that this device is only protected by a password or PIN
ArcotID : Workflow
19 Arcot Confidential
If a
..but it is also protected by “Cryptographic Camouflage”
ArcotID : Workflow
20 Arcot Confidential
If a
The hacker launches a offline “brute force”attack on the ArcotID
ArcotID : Workflow
21 Arcot Confidential
The brute force attack looks for the combination of characters that will produce
a well formed mathematically correct decrypted key
If a 456789
567890
678901
789012
890123………
123456
234567
345678
456789
567890
678901
789012
890123………
ArcotID : Workflow
22 Arcot Confidential
To his surprise... every combination produces what appears to be a
valid mathematically correctly formed key
If a 567890
678901
789012
890123………
123456
234567
345678
456789
567890
678901
789012
890123………
ArcotID : Workflow
23 Arcot Confidential
In fact, a 6 digit numeric PIN would produce 1 million keys
If a
123456
234567
345678
456789
567890
678901
789012
890123………123456
234567
345678
456789
567890
678901
789012
890123………
ArcotID : Workflow
24 Arcot Confidential
The only way to determine which one is real is to log onto
the online application
If a If a
345678
456789
567890
678901
789012
890123………
123456
234567
345678
456789
567890
678901
789012
890123………
….and try it.
ArcotID : Workflow
25 Arcot Confidential
After 3 attempts the ArcotID is disabled!
If a If a
345678
456789
567890
678901
789012
890123………
123456
234567
345678
456789
567890
678901
789012
890123………
xx …and an email alert
is sent for security
ArcotID : Workflow
26 Arcot Confidential
ArcotID: Versatile
ArcotID Storage:• Data file loaded onto a device
- PC, Blackberry or Mobile Phone - Optional Device-locking to a particular system
• Data file loaded onto USB drive for portability• Downloaded for on-demand roaming access
Arcot Client Software:- Flash Implementation- Java Applet (signed or unsigned)- Native PC- Part of Adobe Acrobat 8 and Reader 8
Access anywhere, anytime (future)- PC, Mobile Phones, Blackberry, PDA
27 Arcot Confidential
ArcotID – One Credential Multiple Uses
StrongAuthentication
PKI encrypted e-Statements
Digital Signing
Web PortalsVPNs
PDFsemailMS Office
28 Arcot Confidential
ArcotID: Cryptographic Camouflage™
“Since the invention of public key cryptography twenty-five years ago, people have been struggling to secure the private key without the assistance of hardware.
Arcot's innovative Cryptographic Camouflage* has solved this problem.
Finally there is a cost-effective and convenient means to strongly authenticate users and transactions over the Internet without the need for cumbersome hardware.”
Martin E. HellmanProfessor Emeritus(Inventor of PKI)
Stanford University* US Patent 6,170,058. Other Arcot Patents include 6,209,102, 6,263,446, 6,895,391, 6,908,030, 6,928,427, 6,959,303, 6,956,950.
WebFort Overview
30 Arcot Confidential
WebFort is Universal Authentication server • ArcotID authentication• UserID/Password• Q and A• One Time Password• Custom authentication schemes
WebFort is 100% software based solution
Single Centralized Administration
Seamless Integration with existing user credential repositories
Support for Open Standards
FFIEC, SOX and HIPAA Compliant
WebFort Introduction
31 Arcot Confidential
Arcot™Administration
Console
WebFort
WebFort :The Universal Authentication Server
Administration API
32 Arcot Confidential
No additional effort for integration with VPN Infrastructure
Seamlessly interoperable with SignFort™ for digital signing solutions
WebFort Enterprise Solutions
33 Arcot Confidential
WebFort Platforms Supported
Operating Systems• Microsoft Windows Server 2003• Sun Solaris 10 / 9
Databases• Oracle 10g / 9i• SQL Server 2000 / 2005
Application Servers• TomCat 5.x• WebSphere 6. x
Third Party• JDK 1.5.0x / 1.4.2x
WebFort Architecture
35 Arcot Confidential
WebFort Architecture: Authenticating Credentials
Designed for Scalability and Performance
WebFort server is a Stateless server• No user data is maintained in-memory• Instead, an Encrypted Token with timestamp is generated
Authentication Token generated for Single-Sign On (SSO) integration• Proprietary algorithm
36 Arcot Confidential
WebFort Architecture:Issuing Credentials
Issues multiple credentials including ArcotIDs, Questions-Answers (QnA) and UserID/Password
Supports Personal Assurance Message (PAM) to increase the user confidence
Lifecycle Management capability for credentials
Multiple Interfaces for Issuance: Java API’s and Web Services
37 Arcot Confidential
Aut
hent
icat
ion
Pro
toco
lsWebFort Architecture
WebFort Server
Authentication Service Framework
ASSP
Proprietary
RADIUS
OATH
Aut
hent
icat
ion
Mec
hani
sms
ArcotID
QnA
Password
Kerberos
Framework is the backbone for all common functionality: Caching, Database
failover, interface with authentication protocols and authentication mechanisms
Server Handles Bootstrapping, Threading
and Communication Management
WebFortEach authentication protocol and mechanism interfaces with the
Authentication Service Framework
Pluggable Architecture
minimizes impact on existing components
38 Arcot Confidential
Single System Deployment
Single System
Application Server
Authentication Web Service
Issuance Web Service API
JDBC Driver
Issuance Web App
Issuance Java SDK
Login Web App
Administration Console
Authentication Java SDK
Authentication Web Service API
Web Services Client
WebFort provided componentPrerequisite component
KEY
Sample JSP or customer app
Issuance Web Service
SQLDB
WebFortServer
JRE / JDK
ODBC Client
ODBC Driver
39 Arcot Confidential
Typical Deployment with Java APIs
System #1System #3 System #2
Application Server Application Server
WebFortServer
JDBC Driver
Administration Console
JRE / JDK
Issuance Web App
Issuance Java SDK
Login Web App
Authentication Java SDK
JDBC Driver
ODBC Client
ODBC Driver
JRE
WebFort provided component
Prerequisite component
KEY
Sample JSP or customer app
SQLDB
40 Arcot Confidential
Typical Deployment with Web Services
System #3
Application Server
System #2
Application Server
System #1
SQLDB
WebFortServer
Administration Console
JRE / JDK
Issuance Web App
Login Web App
ODBC Client
ODBC Driver
JDBC Driver
JRE / JDK
Authentication Web Service
Issuance Web Service API
Issuance Web Service
Authentication Web Service API
Web Services Client
WebFort provided component
Prerequisite component
KEY
Sample JSP or customer app
41 Arcot Confidential
WebFort Integration With Client Application
WebFort Features
43 Arcot Confidential
WebFort Server Features
Multiple authentication protocols
Multiple authentication mechanisms
Support for open standards
High Availability and Reliability
Audit Logging
Roaming services
Data Caching
44 Arcot Confidential
WebFort Features:Multiple Authentication Protocols
Support for multiple authentication protocols for ease of deployment in a variety of scenarios
Supports Proprietary and Adobe Signature Service Protocol (ASSP)
Support for RADIUS and OATH
FeaturesMultiple authentication protocolsMultiple authentication mechanismsSupport for open standards RASLoggingRoaming servicesData Caching
45 Arcot Confidential
WebFort Features:Multiple Authentication Mechanisms
WebFort supports multiple types of credentials including• ArcotID• QnA• Password• Kerberos (token verification only)
Each Credential is implemented as a separate module, DLL or SO, that is loaded dynamically
FeaturesMultiple authentication protocols Multiple authentication mechanismsSupport for open standards RASLoggingRoaming servicesData Caching
46 Arcot Confidential
WebFort Features:Open Standards
Supports SASL during authentication• The current SASL support is enabled via
ASSPSupports SAML for returning successful authentication• Currently, support for SAML is enabled via
ASSPSupports SOAP 1.2 and Axis 2.0 for Web Services• Available for Issuance and Authentication
FeaturesMultiple authentication protocols Multiple authentication mechanismsSupport for open standardsRASLoggingRoaming servicesData Caching
47 Arcot Confidential
WebFort Features:RAS
Built for high availability and reliability
Stateless instances for ease of load-balancing
Failover at Database Level
Backup database and database connection pooling supported
FeaturesMultiple authentication protocols Multiple authentication mechanismsSupport for open standards RASLoggingRoaming servicesData Caching
48 Arcot Confidential
WebFort Features:Logging
Audit Logging enables tracking of all authentication attempts • All authentication attempts, successes
and failures are logged in database
Multi-Level File Logging• File logging with multi-level control with
a fine-grain configuration• Log Levels: Fatal, Warning, Info, Low
FeaturesMultiple authentication protocols Multiple authentication mechanismsSupport for open standards RASLoggingRoaming servicesData Caching
49 Arcot Confidential
WebFort Features:Roaming Services
Traveling user access• Secure roaming access to download an
ArcotID
Authenticate a roaming user• Roaming Questions and Answers• UserID/Password• Third party integrations for OTP
FeaturesMultiple authentication protocols Multiple authentication mechanismsSupport for open standards RASLoggingRoaming servicesData Caching
50 Arcot Confidential
WebFort Features:Data Caching
Commonly used tables are cached in the servers
Cache refresh is done via tool. Server restart is not required
Refreshes cache for stored information such as System Configuration, Group, Sub-Group, File System Log Level, etc.
FeaturesMultiple authentication protocols Multiple authentication mechanismsSupport for open standards RASLoggingRoaming servicesData Caching
51 Arcot Confidential
Database Features
WebFort Server supports backup database and connection pooling to both primary and backup databases.
The Minimum, Maximum and the Number of Connections to Increment can be configured at the server side.
AutoRevert feature is available to connect back to the primary Db after a failover.
52 Arcot Confidential
Multi-DB Pooling
WebFort Clients
54 Arcot Confidential
ArcotID Client Capabilities
Flash Client
Unsigned Java
Applet
Signed Java
AppletNative
Embedded in Adobe Reader
ArcotID Roaming Download
ArcotID Saved to Desktop
Digital Signing and Encryption CSP (MS Office) & PKCS#11 (PDF)
ArcotID Saved to USB Drive *
Authentication
Digitally Sign Web Forms
Digital Signing w/ Roaming IDs
Device Lock ArcotID
WebVPN
Stored in Flash secure object store, not available to copy onto USB, floppy, CD, etcOnly for SSL connections through a web browser
* Can use an ArcotID stored on a USB drive, but can not save to USB
55 Arcot Confidential
WebFort Clients
Flash Client
Native Client For Windows
Java Signed Applet
Java Unsigned Applet
Embedded Client in Adobe Acrobat and Reader
56 Arcot Confidential
Flash Client
Uses the widely adopted Adobe Flash Player (version 9 or higher) installed in most browsers.
Creates a secure Flash storage to store the ArcotID either persistently or per session.
User experience is completely transparent during ArcotID authentication.
Flash Client
Native Client
Java Signed Applet
Java Unsigned Applet
Embedded Client in Adobe Acrobat and Reader
57 Arcot Confidential
Native Client
The native client for windows is an install package that includes the Arcot browser plug-in, Arcot Cryptographic Service Provider (CSP), and Arcot PKCS#11 module.
Supported on Internet Explorer browser and can be embedded in Win32 applications.
Flash Client
Native Client
Java Signed Applet
Java Unsigned Applet
Embedded Client in Adobe Acrobat and Reader
58 Arcot Confidential
Java Signed Applet Client
The signed java applet is an implementation of the ArcotID Client that can run in any web browser that contains a Java Virtual Machine (JVM)A security window is displayed when the signed java applet is invoked for the first time.
Flash Client
Native Client
Java Signed Applet
Java Unsigned Applet
Embedded Client in Adobe Acrobat and Reader
59 Arcot Confidential
Java Unsigned Applet Client
The unsigned java applet is an implementation of the ArcotID Client that can run in any web browser that contains a Java Virtual Machine (JVM).
When using the Arcot unsigned Java applet, the user will not be prompted with any security messages or warnings.
Unsigned Java Applet cannot store ArcotID persistently.
Flash Client
Native Client
Java Signed Applet
Java Unsigned Applet
Embedded Client in Adobe Acrobat and Reader
60 Arcot Confidential
Embedded Client in Adobe Acrobat and Reader
ArcotID Client functionality is embedded in the shipping versions of Acrobat 8 (and higher) and Adobe Reader 8 (and higher). This functionality enables ArcotID's to be used to authenticate to digitally sign PDF files using a Roaming Digital ID.
Flash Client
Native Client
Java Signed Applet
Java Unsigned Applet
Embedded Client in Adobe Acrobat and Reader
WebFort Interfaces/SDK
62 Arcot Confidential
WebFort:Interfaces/SDK
Proprietary: Java APIs• Client-Server architecture• Proprietary (Binary Packet based) protocol• WebServices interface (Java based)• TCP Connection Pooling• Database Connection Failover support
Adobe Arcot Signing Protocol (ASSP support)• WebServices interface• Uses SOAP, SAML, SASL• Use gSOAP and openSAML
63 Arcot Confidential
WebFort Client-Server Model
64 Arcot Confidential
WebFort Authentication SDK
The SDK provided by the WebFort validates the user credentials supported.
The following are few of the operations that can be carried out using authentication SDK:
• Verify the user credentials for supported mechanisms; single step (UserID/Password) or multi step (ArcotID, QnA).
• Provide the Authentication Token after successful authentication.
• Verify the Authentication tokens.
65 Arcot Confidential
WebFort Issuance SDK
The Issuance SDK package takes care of the initial credentials provisioning to the users.
The following are few of the operations that can be carried out using issuance SDK:• Issue the credentials to the users• Perform the credential life cycle management operations
- Create- Revoke- Reissue- Delete
• Perform the user management- Create the user- Update the user
66 Arcot Confidential
WebFort:Web Services
Provides Issuance and Authentication capabilities
Platform independent
Supports industry standards like SOAP 1.2 and Axis 2.0
Wrapper around Issuance and Authentication Java API’s
Ease of deployment – Web application
67 Arcot Confidential
List of Web Services With WebFort And Their Associated Operations
AuthAccessorService• authGetArcotID
ArcotWebFortWebService• receivePAM• sendArcotIDResponse• receiveArcotIDWallet• verifyToken• receiveArcotIDInfo• receiveArcotIDChallenge
68 Arcot Confidential
Contd…
AuthXActionService• upVerifyPassword• aidVerifySignedChallenge• authTokenVerify• aidVerifySignedData• aidGetChallenge• qnaVerifyAnswers• qnaGetQuestions• authGetPAM
ArcotID AuthenticationUsing WebFort
70 Arcot Confidential
ArcotID™ and WebFort™ Solution Overview
WebFort™
Bank
1. Server sends Login Page containing
challenge
User enters PINGenerate Private Key
with PIN + data on wallet
Sign challenge encrypted with
private key
ArcotID HSM
3. WebFort™verifies signed
challenge
2. Send Signed challenge
4. WebFort™ sends security token
Domain key
WebFort Administration Console
72 Arcot Confidential
AdminConsole:Self Administration
Privileges and Policies• Built in hierarchy
- Master Administrator – System boot strapping, global administrator management
- Global Administrator – Across product suite administration, User Group management, Group administrator/CSR management.
- Group Administrator – CSR management, Group configuration management, Group report generation
- Customer Service Representative (CSR) – End User management, day to day operation handling
• All admin functionality is controlled by privilege policies- Different privilege policies for different level of admin
FeaturesSelf AdministrationServer Configuration AdministrationReportsHigh InteroperabilityLogging
73 Arcot Confidential
Creating a User
The Enrollment form screen is used to create a user who can then be assigned the role of an admin.
74 Arcot Confidential
Create Admin and assign Policy
To create a Global admin –login to the Master Admin screen and assign the registered user to the ‘Global Admin Policy’
To create a Group or CSR admin – login as a Global Admin and assign ‘Group or CSR Policy’.
75 Arcot Confidential
Admin Console:Server Configuration Administration
WebFort Configuration• Domain Key Creation• Server Protocol Setup• Authentication Method Configuration• Managing Credentials
- Enable Credentials- Disable Credentials- Reset Credentials- Revoke Credentials
Features
Self AdministrationServer Configuration AdministrationReportsHigh InteroperabilityLogging
76 Arcot Confidential
Generate WebFort Domain Key
For every installation of the WebFort server, a domain certificate and key needs to be generated.
The screen shown is available at the Master Admin level to create the domain key.
77 Arcot Confidential
Server Protocol Setup
2 ports can be configured here – Native and Admin ports
Native Protocol Module port is used by clients to connect to the WebFort server during authentication requests
Admin port is used by the aradmin tool for refresh and shutdown requests.
78 Arcot Confidential
Authentication Configuration
Configuration for the various Authentication parameters such as –• ArcotID/QnA Authentication
challenge timeout• Auth token validity• Max Auth attempts• # questions asked and
required to be correct
79 Arcot Confidential
Managing Credentials
Credentials can be temporarily disabled from the ‘Disable Credentials’ screen
Disabled credentials will fail authentication attempts
To enable the credentials again – use the ‘Enable Credentials’screen.
80 Arcot Confidential
Resetting and Revoking Credentials
The ‘Reset Credential’ page can be used to reset the ArcotID password or the User Name/Password.
An ArcotID can be revoked using the ‘Revoke Credential’screen. Revoked credentials cannot be enabled again.
81 Arcot Confidential
Admin Console:Server Configuration Administration
Issuance Configuration• Managing ArcotID Profles• Managing QnA Profiles• Managing Password Profiles• Assign Profiles
Features
Self AdministrationServer Configuration AdministrationReportsHigh InteroperabilityLogging
82 Arcot Confidential
ArcotID Credential Profile
The parameters for the ArcotID credential can be configured here, such as –• Key Strength• Validity Start and End Date
Default is Key strength of 1024 bits and 2 year validity.
83 Arcot Confidential
QnA Credential Profile
Parameters for the QnA based authentication can be stored here• Minimum and Maximum QnA• Case Sensitivity• Store as SHA-1 hash
84 Arcot Confidential
Password Credential Profile
The Minimum and Maximum length for the password can be set here.
85 Arcot Confidential
Assign Profile
The Profiles created in the earlier screens can be assigned to one of the two existing groups.
Questions ?
Arcot WebFort Fundamentals