2 webfort fundamentals

Arcot WebFort Fundamentals

2 Arcot Confidential

WebFort Topics

Security Challenges Addressed By WebFort

Cryptographic Camouflage Using ArcotID

WebFort Overview

Architecture

Features

WebFort Clients

Interfaces and SDK

ArcotID Authentication using WebFort

WebFort Administration Console



Phishing Attacks

Man-In-The-Middle (MITM)

Key Loggers


Phishing: Growing at 289% YOY

New Phishing Sites – April 2005 to April 2006


Phishing 1.0 – A Common Attack

User gets an email –apparently from their bank• A new offer• A security warning• Threat of loss

Request to enter personal informationUser clicks on link – gets taken to phishing siteEnters “personal information”• Username / password• Personal details – DOB• Account details


Typical Solutions Against Phishing

Search and Destroy• Banks search for sites that

imitate their appearance and have them taken down

Customer Education• Security information advising

against clicking on links• Defeated by banks own

marketing communicationsSite Authentication• “Shared secret” for user to

confirm that he is on the right site

Username

Page 1

Assurance Message

My Dog’s Name is FIDO

Enter your password only if you recognize your Assurance Message

Password

Forgot Password?

Page 2


Other Anti-Phishing Solutions

One Time Password [OTP] Generators• Hardware tokens, scratch out lists, SMS• Even if entered on wrong site, not usable after X

secondsPartial Passwords• Enter only part of the password – 1st, 4th, 7th and 9th

letters• Enter select elements of a m*n matrix

- E.g. enter Row 2 Column 4, Row 3 Column 9 and Row 5 Column 7

Browser Enhancements• Toolbars• EV SSL Certs


Phishing 2.0: Man-in-the-Middle

User clicks on link in a phishing email – goes to MITM siteMITM site connects with Bank and gets real pagesMITM replays bank pages to User and User responses to BankNone of the existing solutions protect against MITM !Only ArcotID can solve MITM

@

Real Bank Site

1. User-id

2. User-id

3. VerificationDialog

Man-in-the-MiddleAttacker

4. Verification Dialog

User


ArcotIDTM: Detects and Stops MITM

Match Domain with Trusted Site List

Decline if matching fails

Two-Factor Strong Authentication

Safe End User MITM – Spoofed Website Target Website

1. Send UserID 3. Request Page

4. Provide Requested Page

2. Capture UserID

5. Provide SPOOFED Page

6. UNTRUSTED Site Rejection

SSL SSL

http://sps/knowledge/GeneralPix/ComputerUser1.jpg


KeyLogger: Prevalent Attack

Rogue applications that capture key strokes and mouse clicks

Can capture sensitive information such as:• Account passwords• Credit Card numbers


Scrambled Keypad

Works on Anti-Keyloggertechnology

Uses Virtual scrambled keypad

Position of keys changes for every session and optionally for every keystroke

Patented by Arcot

Solving Security Challenges With Cryptographic Camouflage Using ArcotID


ArcotID: Patented Technology

Cryptographic CamouflagePrivate Key Protection without hardware

Arcot Patented Technology

DOI Bookmarkhttp://doi.ieeecomputersociety.org/10.1109/SECPRI.1999.766915


Cryptographic Camouflage


1CE59A451B257C11DC1A4596B79B21159CA7C8439BA311A964942B5AC5B11E459FC479C3B4117675ABC59DE3711996C2A7EF64DA1

1CE59A451B257C11DC1A4596B79B21159CA7C8439BA311A964942B5AC5B11E459FC479C3B4117675ABC59DE3711996C2A7EF64DA1

StandardSoftware

KeyContainer

X^b19(#h7CD39J5156g*%k75¤»y5B$17fn;hff43LqqkH◊≠xVI39#T\114ke1E459FC479C3B41hKDU&$g752NJHVD1djfHBD7549hgd1

●●●

●●●

●●●

Key Rule: Hex, Begins and Ends with 1

●●●

Brute ForceLibrary Attack

Brute ForceLibrary Attack

Each is a plausible result.

The only way to determine the correct key is to sign a challenge and send to the Authentication Server.

If not the right key… the invalid attempt counter is incremented.

X^b19(#h7CD39J5156g*%k75¤»y5B$17fn;hff43LqqkH◊≠xVI39#T\114ke1E459FC479C3B41hKDU&$g752NJHVD1djfHBD7549hgd1

ArcotIDSoftware

KeyContainer

6 digit PIN,1 million results

6 digit PIN,1 million resultsProtected Key:

1E459FC479C3B41

Protected Key:1E459FC479C3B41

1E459FC479C3B41

Cryptographic Camouflage Private Key Protection

Patented “Cryptographic Camouflage”Patented “Cryptographic Camouflage”


An unauthorized persongains access to a User’s desktop

If a

ArcotID : Workflow


In his attempt to logonhe is challenged by the ArcotIDIf a

He assumes that this device is only protected by a password or PIN

ArcotID : Workflow


If a

..but it is also protected by “Cryptographic Camouflage”

ArcotID : Workflow


If a

The hacker launches a offline “brute force”attack on the ArcotID

ArcotID : Workflow


The brute force attack looks for the combination of characters that will produce

a well formed mathematically correct decrypted key

If a 456789

567890

678901

789012

890123………

123456

234567

345678

456789

567890

678901

789012

890123………

ArcotID : Workflow


To his surprise... every combination produces what appears to be a

valid mathematically correctly formed key

If a 567890

678901

789012

890123………

123456

234567

345678

456789

567890

678901

789012

890123………

ArcotID : Workflow


In fact, a 6 digit numeric PIN would produce 1 million keys

If a

123456

234567

345678

456789

567890

678901

789012

890123………123456

234567

345678

456789

567890

678901

789012

890123………

ArcotID : Workflow


The only way to determine which one is real is to log onto

the online application

If a If a

345678

456789

567890

678901

789012

890123………

123456

234567

345678

456789

567890

678901

789012

890123………

….and try it.

ArcotID : Workflow


After 3 attempts the ArcotID is disabled!

If a If a

345678

456789

567890

678901

789012

890123………

123456

234567

345678

456789

567890

678901

789012

890123………

xx …and an email alert

is sent for security

ArcotID : Workflow


ArcotID: Versatile

ArcotID Storage:• Data file loaded onto a device

- PC, Blackberry or Mobile Phone - Optional Device-locking to a particular system

• Data file loaded onto USB drive for portability• Downloaded for on-demand roaming access

Arcot Client Software:- Flash Implementation- Java Applet (signed or unsigned)- Native PC- Part of Adobe Acrobat 8 and Reader 8

Access anywhere, anytime (future)- PC, Mobile Phones, Blackberry, PDA


ArcotID – One Credential Multiple Uses

StrongAuthentication

PKI encrypted e-Statements

Digital Signing

Web PortalsVPNs

PDFsemailMS Office


ArcotID: Cryptographic Camouflage™

“Since the invention of public key cryptography twenty-five years ago, people have been struggling to secure the private key without the assistance of hardware.

Arcot's innovative Cryptographic Camouflage* has solved this problem.

Finally there is a cost-effective and convenient means to strongly authenticate users and transactions over the Internet without the need for cumbersome hardware.”

Martin E. HellmanProfessor Emeritus(Inventor of PKI)

Stanford University* US Patent 6,170,058. Other Arcot Patents include 6,209,102, 6,263,446, 6,895,391, 6,908,030, 6,928,427, 6,959,303, 6,956,950.

WebFort Overview


WebFort is Universal Authentication server • ArcotID authentication• UserID/Password• Q and A• One Time Password• Custom authentication schemes

WebFort is 100% software based solution

Single Centralized Administration

Seamless Integration with existing user credential repositories

Support for Open Standards

FFIEC, SOX and HIPAA Compliant

WebFort Introduction


Arcot™Administration

Console

WebFort

WebFort :The Universal Authentication Server

Administration API


No additional effort for integration with VPN Infrastructure

Seamlessly interoperable with SignFort™ for digital signing solutions

WebFort Enterprise Solutions


WebFort Platforms Supported

Operating Systems• Microsoft Windows Server 2003• Sun Solaris 10 / 9

Databases• Oracle 10g / 9i• SQL Server 2000 / 2005

Application Servers• TomCat 5.x• WebSphere 6. x

Third Party• JDK 1.5.0x / 1.4.2x

WebFort Architecture


WebFort Architecture: Authenticating Credentials

Designed for Scalability and Performance

WebFort server is a Stateless server• No user data is maintained in-memory• Instead, an Encrypted Token with timestamp is generated

Authentication Token generated for Single-Sign On (SSO) integration• Proprietary algorithm


WebFort Architecture:Issuing Credentials

Issues multiple credentials including ArcotIDs, Questions-Answers (QnA) and UserID/Password

Supports Personal Assurance Message (PAM) to increase the user confidence

Lifecycle Management capability for credentials

Multiple Interfaces for Issuance: Java API’s and Web Services


Aut

hent

icat

ion

Pro

toco

lsWebFort Architecture

WebFort Server

Authentication Service Framework

ASSP

Proprietary

RADIUS

OATH

Aut

hent

icat

ion

Mec

hani

sms

ArcotID

QnA

Password

Kerberos

Framework is the backbone for all common functionality: Caching, Database

failover, interface with authentication protocols and authentication mechanisms

Server Handles Bootstrapping, Threading

and Communication Management

WebFortEach authentication protocol and mechanism interfaces with the

Authentication Service Framework

Pluggable Architecture

minimizes impact on existing components


Single System Deployment

Single System

Application Server

Authentication Web Service

Issuance Web Service API

JDBC Driver

Issuance Web App

Issuance Java SDK

Login Web App

Administration Console

Authentication Java SDK

Authentication Web Service API

Web Services Client

WebFort provided componentPrerequisite component

KEY

Sample JSP or customer app

Issuance Web Service

SQLDB

WebFortServer

JRE / JDK

ODBC Client

ODBC Driver


Typical Deployment with Java APIs

System #1System #3 System #2

Application Server Application Server

WebFortServer

JDBC Driver


JRE / JDK

Issuance Web App

Issuance Java SDK

Login Web App

Authentication Java SDK

JDBC Driver

ODBC Client

ODBC Driver

JRE

WebFort provided component

Prerequisite component

KEY


SQLDB


Typical Deployment with Web Services

System #3

Application Server

System #2

Application Server

System #1

SQLDB

WebFortServer


JRE / JDK

Issuance Web App

Login Web App

ODBC Client

ODBC Driver

JDBC Driver

JRE / JDK

Authentication Web Service

Issuance Web Service API

Issuance Web Service

Authentication Web Service API

Web Services Client

WebFort provided component

Prerequisite component

KEY



WebFort Integration With Client Application

WebFort Features


WebFort Server Features

Multiple authentication protocols

Multiple authentication mechanisms

Support for open standards

High Availability and Reliability

Audit Logging

Roaming services

Data Caching


WebFort Features:Multiple Authentication Protocols

Support for multiple authentication protocols for ease of deployment in a variety of scenarios

Supports Proprietary and Adobe Signature Service Protocol (ASSP)

Support for RADIUS and OATH

FeaturesMultiple authentication protocolsMultiple authentication mechanismsSupport for open standards RASLoggingRoaming servicesData Caching


WebFort Features:Multiple Authentication Mechanisms

WebFort supports multiple types of credentials including• ArcotID• QnA• Password• Kerberos (token verification only)

Each Credential is implemented as a separate module, DLL or SO, that is loaded dynamically

FeaturesMultiple authentication protocols Multiple authentication mechanismsSupport for open standards RASLoggingRoaming servicesData Caching


WebFort Features:Open Standards

Supports SASL during authentication• The current SASL support is enabled via

ASSPSupports SAML for returning successful authentication• Currently, support for SAML is enabled via

ASSPSupports SOAP 1.2 and Axis 2.0 for Web Services• Available for Issuance and Authentication

FeaturesMultiple authentication protocols Multiple authentication mechanismsSupport for open standardsRASLoggingRoaming servicesData Caching


WebFort Features:RAS

Built for high availability and reliability

Stateless instances for ease of load-balancing

Failover at Database Level

Backup database and database connection pooling supported



WebFort Features:Logging

Audit Logging enables tracking of all authentication attempts • All authentication attempts, successes

and failures are logged in database

Multi-Level File Logging• File logging with multi-level control with

a fine-grain configuration• Log Levels: Fatal, Warning, Info, Low



WebFort Features:Roaming Services

Traveling user access• Secure roaming access to download an

ArcotID

Authenticate a roaming user• Roaming Questions and Answers• UserID/Password• Third party integrations for OTP



WebFort Features:Data Caching

Commonly used tables are cached in the servers

Cache refresh is done via tool. Server restart is not required

Refreshes cache for stored information such as System Configuration, Group, Sub-Group, File System Log Level, etc.



Database Features

WebFort Server supports backup database and connection pooling to both primary and backup databases.

The Minimum, Maximum and the Number of Connections to Increment can be configured at the server side.

AutoRevert feature is available to connect back to the primary Db after a failover.


Multi-DB Pooling

WebFort Clients


ArcotID Client Capabilities

Flash Client

Unsigned Java

Applet

Signed Java

AppletNative

Embedded in Adobe Reader

ArcotID Roaming Download

ArcotID Saved to Desktop

Digital Signing and Encryption CSP (MS Office) & PKCS#11 (PDF)

ArcotID Saved to USB Drive *

Authentication

Digitally Sign Web Forms

Digital Signing w/ Roaming IDs

Device Lock ArcotID

WebVPN

Stored in Flash secure object store, not available to copy onto USB, floppy, CD, etcOnly for SSL connections through a web browser

* Can use an ArcotID stored on a USB drive, but can not save to USB


WebFort Clients

Flash Client

Native Client For Windows

Java Signed Applet

Java Unsigned Applet

Embedded Client in Adobe Acrobat and Reader


Flash Client

Uses the widely adopted Adobe Flash Player (version 9 or higher) installed in most browsers.

Creates a secure Flash storage to store the ArcotID either persistently or per session.

User experience is completely transparent during ArcotID authentication.

Flash Client

Native Client

Java Signed Applet




Native Client

The native client for windows is an install package that includes the Arcot browser plug-in, Arcot Cryptographic Service Provider (CSP), and Arcot PKCS#11 module.

Supported on Internet Explorer browser and can be embedded in Win32 applications.

Flash Client

Native Client

Java Signed Applet




Java Signed Applet Client

The signed java applet is an implementation of the ArcotID Client that can run in any web browser that contains a Java Virtual Machine (JVM)A security window is displayed when the signed java applet is invoked for the first time.

Flash Client

Native Client

Java Signed Applet




Java Unsigned Applet Client

The unsigned java applet is an implementation of the ArcotID Client that can run in any web browser that contains a Java Virtual Machine (JVM).

When using the Arcot unsigned Java applet, the user will not be prompted with any security messages or warnings.

Unsigned Java Applet cannot store ArcotID persistently.

Flash Client

Native Client

Java Signed Applet





ArcotID Client functionality is embedded in the shipping versions of Acrobat 8 (and higher) and Adobe Reader 8 (and higher). This functionality enables ArcotID's to be used to authenticate to digitally sign PDF files using a Roaming Digital ID.

Flash Client

Native Client

Java Signed Applet



WebFort Interfaces/SDK


WebFort:Interfaces/SDK

Proprietary: Java APIs• Client-Server architecture• Proprietary (Binary Packet based) protocol• WebServices interface (Java based)• TCP Connection Pooling• Database Connection Failover support

Adobe Arcot Signing Protocol (ASSP support)• WebServices interface• Uses SOAP, SAML, SASL• Use gSOAP and openSAML


WebFort Client-Server Model


WebFort Authentication SDK

The SDK provided by the WebFort validates the user credentials supported.

The following are few of the operations that can be carried out using authentication SDK:

• Verify the user credentials for supported mechanisms; single step (UserID/Password) or multi step (ArcotID, QnA).

• Provide the Authentication Token after successful authentication.

• Verify the Authentication tokens.


WebFort Issuance SDK

The Issuance SDK package takes care of the initial credentials provisioning to the users.

The following are few of the operations that can be carried out using issuance SDK:• Issue the credentials to the users• Perform the credential life cycle management operations

- Create- Revoke- Reissue- Delete

• Perform the user management- Create the user- Update the user


WebFort:Web Services

Provides Issuance and Authentication capabilities

Platform independent

Supports industry standards like SOAP 1.2 and Axis 2.0

Wrapper around Issuance and Authentication Java API’s

Ease of deployment – Web application


List of Web Services With WebFort And Their Associated Operations

AuthAccessorService• authGetArcotID

ArcotWebFortWebService• receivePAM• sendArcotIDResponse• receiveArcotIDWallet• verifyToken• receiveArcotIDInfo• receiveArcotIDChallenge


Contd…

AuthXActionService• upVerifyPassword• aidVerifySignedChallenge• authTokenVerify• aidVerifySignedData• aidGetChallenge• qnaVerifyAnswers• qnaGetQuestions• authGetPAM

ArcotID AuthenticationUsing WebFort


ArcotID™ and WebFort™ Solution Overview

WebFort™

Bank

1. Server sends Login Page containing

challenge

User enters PINGenerate Private Key

with PIN + data on wallet

Sign challenge encrypted with

private key

ArcotID HSM

3. WebFort™verifies signed

challenge

2. Send Signed challenge

4. WebFort™ sends security token

Domain key

WebFort Administration Console


AdminConsole:Self Administration

Privileges and Policies• Built in hierarchy

- Master Administrator – System boot strapping, global administrator management

- Global Administrator – Across product suite administration, User Group management, Group administrator/CSR management.

- Group Administrator – CSR management, Group configuration management, Group report generation

- Customer Service Representative (CSR) – End User management, day to day operation handling

• All admin functionality is controlled by privilege policies- Different privilege policies for different level of admin

FeaturesSelf AdministrationServer Configuration AdministrationReportsHigh InteroperabilityLogging


Creating a User

The Enrollment form screen is used to create a user who can then be assigned the role of an admin.


Create Admin and assign Policy

To create a Global admin –login to the Master Admin screen and assign the registered user to the ‘Global Admin Policy’

To create a Group or CSR admin – login as a Global Admin and assign ‘Group or CSR Policy’.


Admin Console:Server Configuration Administration

WebFort Configuration• Domain Key Creation• Server Protocol Setup• Authentication Method Configuration• Managing Credentials

- Enable Credentials- Disable Credentials- Reset Credentials- Revoke Credentials

Features

Self AdministrationServer Configuration AdministrationReportsHigh InteroperabilityLogging


Generate WebFort Domain Key

For every installation of the WebFort server, a domain certificate and key needs to be generated.

The screen shown is available at the Master Admin level to create the domain key.


Server Protocol Setup

2 ports can be configured here – Native and Admin ports

Native Protocol Module port is used by clients to connect to the WebFort server during authentication requests

Admin port is used by the aradmin tool for refresh and shutdown requests.


Authentication Configuration

Configuration for the various Authentication parameters such as –• ArcotID/QnA Authentication

challenge timeout• Auth token validity• Max Auth attempts• # questions asked and

required to be correct


Managing Credentials

Credentials can be temporarily disabled from the ‘Disable Credentials’ screen

Disabled credentials will fail authentication attempts

To enable the credentials again – use the ‘Enable Credentials’screen.


Resetting and Revoking Credentials

The ‘Reset Credential’ page can be used to reset the ArcotID password or the User Name/Password.

An ArcotID can be revoked using the ‘Revoke Credential’screen. Revoked credentials cannot be enabled again.


Admin Console:Server Configuration Administration

Issuance Configuration• Managing ArcotID Profles• Managing QnA Profiles• Managing Password Profiles• Assign Profiles

Features

Self AdministrationServer Configuration AdministrationReportsHigh InteroperabilityLogging


ArcotID Credential Profile

The parameters for the ArcotID credential can be configured here, such as –• Key Strength• Validity Start and End Date

Default is Key strength of 1024 bits and 2 year validity.


QnA Credential Profile

Parameters for the QnA based authentication can be stored here• Minimum and Maximum QnA• Case Sensitivity• Store as SHA-1 hash


Password Credential Profile

The Minimum and Maximum length for the password can be set here.


Assign Profile

The Profiles created in the earlier screens can be assigned to one of the two existing groups.

Questions ?

Arcot WebFort Fundamentals

2 webfort fundamentals

Documents