Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012



Similar documents
French Justice Portal. Authentication methods and technologies. Page n 1

T2S Non Repudiation of Origin (NRO)

Secure Signature Creation Devices (SSCDs)

Secure your Privacy. jrsys, Inc. All rights reserved.

How To Use Cmk On An Ipa (Intralinks) On A Pc Or Mac Mac (Apple) On An Iphone Or Ipa On A Mac Or Ipad (Apple Mac) On Pc Or Ipat (Apple

Digital Signatures on iqmis User Access Request Form

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Presentation Rundown. Introduction Product Overview Product Features Product Value Product Applications Question and Answer

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Check Point FDE integration with Digipass Key devices

Secure Data Exchange Solution

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

etoken Single Sign-On 3.0

Remote Access Securing Your Employees Out of the Office

STRONGER AUTHENTICATION for CA SiteMinder

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

Moving to Multi-factor Authentication. Kevin Unthank

PrivateServer HSM Integration with Microsoft IIS

Introducing etoken. What is etoken?

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

Secure USB Flash Drive. Biometric & Professional Drives

Global network of innovation. Svein Arne Lindøe Arnfinn Strand Security Competence Center Scandic Siemens Business Services (Norway)

Applying Cryptography as a Service to Mobile Applications

Token User Guide. Version 1.0/ July 2013

Facebook s Security Philosophy, and how Duo helps.

External Authentication with Citrix Access Gateway Advanced Edition

Multifactor authentication systems Jiří Sobotka, Radek Doležel

NetIQ Advanced Authentication Framework

Strong Authentication for Secure VPN Access

A new Secure Remote Access Platform from Giritech. Page 1

SafeNet Authentication Client

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

ADDING STRONGER AUTHENTICATION for VPN Access Control

HP USB Smartcard CCID Keyboard. User Guide

IDENTIKEY Server Product Guide

User Guide Remote PIV to VDI Using a PIV Card

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

RSA SecurID Two-factor Authentication

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Department of Supply & Services (CIMS) RSA Web Express User Guide v1.2

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Using RD Gateway with Azure Multifactor Authentication

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

DigitalPersona Pro Enterprise

Session ID: Session Classification:

Instructions for Using Secure . (SMail) via Outlook Web Access. with an RSA Token

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

The RT module VT6000 (VT6050 / VT6010) can be used to enhance the RT. performance of CANoe by distributing the real-time part of CANoe to a

Securing Cloud Computing. Szabolcs Gyorfi Sales manager CEE, CIS & MEA

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

White Paper. The Principles of Tokenless Two-Factor Authentication

USB etoken and USB Flash Features Support

Gemalto SafeNet Minidriver 9.0

Locking down a Hitachi ID Suite server

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

PrivateServer HSM EKM Provider for Microsoft SQL Server

Two-factor authentication Free portable encryption for USB drive Hardware disk encryption Face recognition logon

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Device-Centric Authentication and WebCrypto

One-Time Password Contingency Access Process

Strong Authentication for Microsoft TS Web / RD Web

Finger Vein digital biometric signature: use cases

ANZ TRANSACTIVE GETTING STARTED GUIDE AUSTRALIA & NEW ZEALAND

Second Level Authentication Using QR Codes

Mobile OTP Issuance Existing Users Non- Roaming Flow (Private Computer)

Ultra-strong authentication to protect network access and assets

Proven. Trusted.

NetIQ Access Manager - Advanced Authentication Plugin. User's Guide. Version 5.1.0

CoSign by ARX for PIV Cards

View from a European Trust Service Provider Server Signing: Return of experience and certification strategy

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

LDAP Authentication Configuration Appendix

esign Online Digital Signature Service

BorderGuard Client. Version 4.4. November 2013

Global Identity Management of Virtual Machines Based on Remote Secure Elements

This document shows new Citrix users how to set up and log in to their Citrix account.

2 factor + 2. Authentication. way

Transcription:

Strong authentication of GUI sessions over Dedicated Links ipmg Workshop on Connectivity 25 May 2012

Agenda Security requirements The T2S U2A 2 Factor Authentication solution Additional investigation Terminal Services OTP authentication Remote HSM Conclusions

Security requirements 1/2 The T2S Information Security requirements and controls require a strong authentication for remote access of users 10.4.2 User authentication for external connections Control: Strong authentication methods (e.g. hardware token, certificates) must be used to control access by remote users. Strong authentication is performed via a two factor authentication Something the user knows (PIN) Something the user owns (a physical object such as a smart card or USB token)

Security requirements 2/2 Connectivity workshop on 27 February 2012: The Eurosystem proposal is based upon the strong authentication of GUI sessions via Dedicated Links, based on certificates stored on hardware devices, to be managed by physical users.

T2S U2A 2 Factor Authentication solution T2S U2A application is based on the implementation of strong authentication via x509 certificates and smart cards or cryptogprahic USB tokens Association between x509 certificates and T2S users are managed in Static Data; 4CB will provide USB tokens (or smart cards) in the Dedicated Links context and for the Internet channel; VA-NSP have been requested to provide smart cards to their users with certificates to be used for 2FA. The solution implies the usage of a USB port either for the USB Token or for the Smart card reader and specific drivers will have to be installed on the client

Additional investigation Is a Terminal Server solution based on Citrix compliant with the T2S U2A solution? Other requests for clarification refer to thin clients (not properly a traditional PC) without USB port or to avoid, in any case, the use of local USB ports on the client

Terminal services A Citrix-based environment is a viable solution, but According to our current experience, smart card drivers must be installed on both client and server (investigation ongoing) The USB device must still be plugged into the client

OTP authentication 1/2 One Time Password hardware tokens do not need a USB port ( disconnected tokens ) Pseudo random numbers synchronized with autentication server

OTP authentication 2/2 Not compliant with T2S U2A current solution It is not based upon x509 certificates It is not in line with the DL CR assessment The need to support different authentication methods for U2A connections through the different channels (VAN, DL, Internet) would increase the costs. U2A user authentication Reference ID T2S.UC.TC.30245: The NSP shall distribute to the end users the credential to access the interface to the T2S. The NSP shall deliver the certificates for U2A to the end users (with a smart-card). More vulnerable than smart cards or USB tokens Man in the middle attacks RSA SecureID attack on March 2011

Remote HSM 1/2 Hardware Security Module containing authentication certificates to be managed by IT department of CSDs no USB port required on clients.

Remote HSM 2/2 The solution is not compliant with the T2S U2A solution Certificates stored on HSMs are suitable for signature purposes, but not properly for authentication (the user has in any case to be identified for accessing its own certificate on the HSM) The principle something the user owns is not fulfilled

Conclusions T2S U2A 2 Factor Authentication solution is based on certificates stored on smart card or USB cryptograhpic token devices. The usage of Citrix is compliant with the solution; the need to install software also on the client must be further investigated. The usage of OTP tokens for 2FA is not compatible with the T2S U2A 2FA solution. The usage of a remote HSM for authentication purposes is not compatible with the T2S U2A 2FA solution.

Q & A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information