Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer



Similar documents
How CA Arcot Solutions Protect Against Internet Threats

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Strong Authentication for Secure VPN Access

Using etoken for Securing s Using Outlook and Outlook Express

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Agenda. How to configure

Using Entrust certificates with VPN

Law College Computer and Technology Information

Advanced Authentication

Securing ArcGIS Server Services: First Steps

Server-Assisted Generation of a Strong Secret from a Password

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

What Are They, and What Are They Doing in My Browser?

TrustKey Tool User Manual

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

End User Encryption Key Protection Policy

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Digital Signatures on iqmis User Access Request Form

Advanced Authentication Methods: Software vs. Hardware

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

SSL VPN vs. IPSec VPN

Research Article. Research of network payment system based on multi-factor authentication

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Check Point FDE integration with Digipass Key devices

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Entrust Managed Services PKI

Innovations in Digital Signature. Rethinking Digital Signatures

Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012

RemotelyAnywhere Getting Started Guide

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Dashlane Security Whitepaper

Understanding digital certificates

Client Server Registration Protocol

How To Encrypt Data With Encryption

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Installation and Configuration Guide

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate (Personal eid) WISeKey 2010 / Alinghi 2010 Smartcards

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Savitribai Phule Pune University

DRAFT Standard Statement Encryption

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Security Policy Revision Date: 23 April 2009

Secure Remote Password (SRP) Authentication

Information Security

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Configuring Security Features of Session Recording

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

An Introduction to Entrust PKI. Last updated: September 14, 2004

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Understanding Digital Certificates and Secure Sockets Layer (SSL)

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

GT 6.0 GSI C Security: Key Concepts

FileCloud Security FAQ

Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10.

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Personal Secure Certificate

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate on Aladdin etoken (Personal eid)

Ciphire Mail. Abstract

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

Information Technology Department. Miller School of Medicine New User Guide

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

Managed Services PKI 60-day Trial Quick Start Guide

SchoolBooking SSO Integration Guide

SAP Single Sign-On 2.0 Overview Presentation

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Securing your Online Data Transfer with SSL

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

White Paper. Options for Two Factor Authentication. Authors: Andrew Kemshall Phil Underwood. Date: July 2007

Yale Software Library

SENSE Security overview 2014

Certified Document Services (CDS) End User Installation Guide

Digital Signature Certificate Online Enrollment Guide using etoken

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

How To Understand And Understand The Security Of A Key Infrastructure

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2


Why Password- Enabled PKI

Analysis of E-Commerce Security Protocols SSL and SET

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Security Guide. BES12 Cloud. for BlackBerry

PROXKey Tool User Manual

Ensuring the security of your mobile business intelligence

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Complying with PCI Data Security

10 Secure Electronic Transactions: Overview, Capabilities, and Current Status

Enterprise Security Interests Require SSL with telnet server from outside the LAN

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Procedure for How to Enroll for Digital Signature

Transcription:

Arcot Systems, Inc. Securing Digital Identities FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

Today s Agenda Background Who is Arcot Systems? What is an ArcotID? Why use ArcotIDs? Understanding Cryptographic Camouflage The Roaming Challenge Requirements for Credential mobility. Understanding Arcot Authentication Setting up for roaming User Authentication Roaming Pick-up Arcot v Others Three things to remember. Questions? Federal PKI Presentation September 14, 2000 Page 2

Who is Arcot Systems? Arcot provides hardware-like authentication security solutions entirely in software. Private, with over $30M in funding. Accel Partners Oracle Novell First Union National Bank Flagship Customers Sweden Post First Union National Bank Strategic Partners Digital Signature Trust ID.Safe Entrust Technologies Technology Advisory Board Martin Hellman Taher Elgamal Bruce Schneier Federal PKI Presentation September 14, 2000 Page 3

What is an ArcotID? Secure software container for PKI credentials. Smart-card like security in software Works with browsers,vpns, network login, PDAs, wireless (future) Common user interface for certificates CA independent User interface remains consistent regardless of CA changes Federal PKI Presentation September 14, 2000 Page 4

Why use ArcotIDs Arcot is easy to use. Arcot provides hardware-like protection of PKI credentials. Arcot provides secure mobile PKI authentication. Federal PKI Presentation September 14, 2000 Page 5

Arcot ID Characteristics Arcot IDs are secure software private key containers that have hardware smart card-like characteristics Similar to Hardware Smart Cards and unlike Network Servers (EKE/SPEKE): Arcot IDs are tamper resistant against dictionary attacks User can hold Arcot ID private key container locally User accesses private key by entering password locally There is no private key password verifier in the system Similar to Network Servers User s can remotely pick-up Arcot IDs for Mobile Authentication Federal PKI Presentation September 14, 2000 Page 6

Arcot Systems 1. Ease of Use 2.Security 3. Mobility Federal PKI Presentation September 14, 2000 Page 7

Private Key Container Facts PKI Security is dependent on protecting the private key and thus the private key container Password-encrypted files, hardware smart cards, network servers, and Arcot camouflaged files These containers must ultimately be protected by something like a password/pin Conventional software key containers are subject to dictionary attacks Smart cards avoid dictionary attacks by locking up Network servers typically have password verifiers on server that are subject to dictionary attacks Federal PKI Presentation September 14, 2000 Page 8

Password Key Protection Password-Encrypted Files and some Network Servers are subject to dictionary attacks Because the password space is small enough to search And the correct key or plaintext can be recognized by its own structure or from context Conventional defenses Make the password space large But then people can t remember their passwords Make decryption slow Vulnerable to computing power? Federal PKI Presentation September 14, 2000 Page 9

Camouflage - Background Instead of encrypting the private key with a password that is too long for exhaustive attack We camouflage it, or encrypt it so that: only one password will decrypt it correctly, but many passwords will decrypt a plausible candidate key This protects a private key against dictionary attack, similar to a smart card Federal PKI Presentation September 14, 2000 Page 10

How to camouflage the key To achieve our goal, camouflage uses a number of techniques. Camouflage can be applied to RSA, DSA, EC-DSA, etc. Don t encrypt known structure with PIN Conceal the public key and don t use it to encrypt verifiable plaintext Don t reveal information about the PIN Randomize and protect signatures Federal PKI Presentation September 14, 2000 Page 11

Camouflage, Public Keys, and Arcot IDs Each Arcot ID has two key pairs Camouflaged Arcot key pair Public key is encrypted Used for strong user authentication & signatures Non-camouflaged key pair Plaintext public key in SubjectPublicKeyInfo field Private key may be encrypted with split symmetric key and hosted on network servers for secure download Used for email signing & encryption Federal PKI Presentation September 14, 2000 Page 12

Arcot Systems 1. Ease of Use 2. Security 3.Mobility Federal PKI Presentation September 14, 2000 Page 13

Requirements of Mobility For mobility, users require familiar flexibility associated with password based systems. Anyone System strongly authenticates authorized users. Any device Authenticate from Server, Laptop, PDA, Network device and wireless devices. Anywhere Home, Office, Hotel, Kiosk, Library. Affordable Arcot satisfies all requirements and delivers the PKI credentials securely in software. Federal PKI Presentation September 14, 2000 Page 14

Understanding Arcot Authentication Arcot leverages any Public Key Infrastructure to positively identify End Users with certificates. Arcot uses a separate challenge to pick up roaming credentials. Arcot leverages a second local authentication to access the Private Key to sign authentication challenges. Arcot supports both server and client key generation. Next we will walk through: Adding a user and setting up for roaming. Understand Arcot Authentication. Authenticating to Arcot with your roaming ArcotID. Federal PKI Presentation September 14, 2000 Page 15

Arcot Admin enters delivers user Activation information Code to into the Arcot. End User i.e. through Name, email, offline ID, transport. etc. PKI Administrator Arcot securely submits certificates to CA. CA signs certificates and completes all PKI Activation Code confirmed. Arcot functions, i.e. public certificate written to waits End for User End exits User browser. to generate Arcot keys. ID is directory. Certificates returned to End User. transferred over SSL and securely stored on the Arcot Card Server. Arcot Personalization Station Arcot Card Server Web Server End User Network Signed certificates and private key End user wrapped selects PIN and protected and generates in Arcot keys. ID. End Submits User receives certificate registration information from End Users request submits to CA Qs over and As SSL for for Admin End User and establishes contacts registration signing. SSL session web and server. Roaming Access. submits required information including Activation Code to web server. Federal PKI Presentation September 14, 2000 Page 16

Arcot Private Key is used to create a signed challenge response for the AAS. Signed challenge is transported to AAS. Internet Intranet Arcot Authentication If user End has User Arcot attempts ID, they are The decrypted Arcot Public Key prompted to access to End protected authenticate. User enters If correct verifies PIN the signed challenge. user doesn t resource. have into ID Arcot they ID. are Arcot The ID user has been Arcot positively Authentication Server prompted to pickup releases roaming Private Key. identified AAS and extracts granted the access Arcot (AAS) to requests Arcot ID. Encrypted the Intranet Public resources. from authentication public challenge. certificate and decrypts with Establishes the SSL. AAS Domain Key. Federal PKI Presentation September 14, 2000 Page 17

Intranet Resources Arcot Card Server Arcot Authentication Server Web Server w/ Arcot Proxy Internet Arcot verifies roaming answers. Arcot Card Server delivers Arcot Arcot Proxy Auth Server identifies verifies resource signed as ID to the End User. challenge. protected. End If End User User is authenticated! does not have an Arcot ID redirect to Card Pickup. End User End User authenticates enter requests user access name ArcotID to and a responds with protected PIN. to roaming Private resource. Key questions. signs challenge for Arcot Auth Server. Federal PKI Presentation September 14, 2000 Page 18

How does Arcot Compare Any One Any Device Any Where Affordable Secure Smart Cards USB Tokens SPEKE Servers Distributed Servers???? Arcot Federal PKI Presentation September 14, 2000 Page 19

Three Things to Remember Leverages any PKI Entrust, VeriSign, Netscape, Microsoft, Baltimore, others. Supports Non-Repudiation Client-side Key Generation No passwords, hashes or verifiers to authenticate We authenticate with certificates. Federal PKI Presentation September 14, 2000 Page 20

For more information: Les Cashwell Federal Manager Les@arcot.com Office: 703-934-6194 Fax: 703-934-6126 Michael Seguinot Federal Technical Advisor Seguinot@arcot.com Office: 703-934-6133 Mobile: 703-967-8557 Today s Speaker Tom Wu Principal Software Engineer Federal PKI Presentation September 14, 2000 Page 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information