Secure Web Access Solution

Similar documents
Secure Data Exchange Solution

Secure USB Flash Drive. Biometric & Professional Drives

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

A brief on Two-Factor Authentication

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

FileCloud Security FAQ

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

DIGIPASS Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Sophos Mobile Control Installation guide. Product version: 3

PROXKey Tool User Manual

DIGIPASS Authentication for Check Point Connectra

White Paper. The risks of authenticating with digital certificates exposed

Internet Banking Two-Factor Authentication using Smartphones

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

RSA SecurID Two-factor Authentication

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Advanced Authentication

Corporate and Payment Card Industry (PCI) compliance

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

TrustKey Tool User Manual

BlackShield ID Agent for Remote Web Workplace

Two-Factor Solutions Choosing the Right One"

Entrust Managed Services PKI

DIGIPASS Authentication for GajShield GS Series

WHITE PAPER Usher Mobile Identity Platform

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Installation and Configuration Guide

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

SSL VPN Technology White Paper

NetIQ Advanced Authentication Framework

DIGIPASS Authentication for Check Point Security Gateways

Digital Signatures on iqmis User Access Request Form

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

e-code Academy Information Security Diploma Training Discerption

PINsafe Multifactor Authentication Solution. Technical White Paper

Strong Authentication for Secure VPN Access

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Enhancing Web Application Security

Remote Access Securing Your Employees Out of the Office

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Guide to Evaluating Multi-Factor Authentication Solutions

Authentication Levels. White Paper April 23, 2014

Fireware How To Authentication

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

Check Point FW-1/VPN-1 NG/FP3

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

Research Article. Research of network payment system based on multi-factor authentication

ViSolve Open Source Solutions

Two-factor authentication Free portable encryption for USB drive Hardware disk encryption Face recognition logon

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Cleaning Encrypted Traffic

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

Sophos Mobile Control Installation guide. Product version: 3.5

Lesson Plans Administering Security in a Server 2003 Network

User Authentication. FortiOS Handbook v3 for FortiOS 4.0 MR3

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

Check Point FDE integration with Digipass Key devices

Securing corporate assets with two factor authentication

Interlink Networks RAD-Series AAA Server and RSA Security Two-Factor Authentication

Network Automation 9.22 Features: RIM and PKI Authentication July 31, 2013

Administrators Help Manual

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

YubiKey Authentication Module Design Guideline

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Schlumberger PKI /Corporate Badge Deployment. Neville Pattinson Director of Business Development & Technology IT & Public Sector

2 factor + 2. Authentication. way

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Sync Security and Privacy Brief

Xerox DocuShare Security Features. Security White Paper

The Convergence of IT Security and Physical Access Control

Sticky Password 7. Sticky Password 7 is the latest, most advanced, portable, cross platform version of the powerful yet

YubiKey PIV Deployment Guide

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

Interwise Connect. Working with Reverse Proxy Version 7.x

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Expert Reference Series of White Papers. Fundamentals of the PKI Infrastructure

White Paper: Managing Security on Mobile Phones

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

Identikey Server Product Guide

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Using GhostPorts Two-Factor Authentication

DIGIPASS Authentication for SonicWALL SSL-VPN

USER GUIDE WWPass Security for Windows Logon

RSA Authentication Manager 7.1 Basic Exercises

HOTPin Integration Guide: DirectAccess

Security Digital Certificate Manager

IDENTIKEY Server Windows Installation Guide 3.2

Neutralus Certification Practices Statement

Whitepaper on AuthShield Two Factor Authentication and Access integration with Microsoft outlook using any Mail Exchange Servers

Transcription:

Secure Web Access Solution

I. CONTENTS II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. E-CODE SECURE WEB ACCESS SOLUTION... 3 OVERVIEW... 3 PKI SECURE WEB ACCESS... 4 Description... 4 Benefits... 8 OTP SECURE WEB ACCESS... 9 Description... 9 Benefits... 13 I. ABOUT E-CODE... 15 1

II. INTRODUCTION This document provides detailed technical description for the secure web access solution by E-Code. Overview E-Code Secure web Access is a solution that makes web access is more secure and eliminates any chance for credential hacking. E-Code Secure Web Access provides extra security with two or Three Factors Authentication based on Public Key Infrastructure (PKI). Also, this solution involves another method that uses One Time Password (OTP). Unlike normal username/password credentials, PKI and OTP are more secure that no hacker can attack. Copyrights and Trademarks All of the content on this manual and accompanying software(including all text, graphics, sounds, demos, patches, hints and other files) is covered under KSA and international copyright and trademark laws by E-Code and other companies, and are property of E-Code, or are presented with permission and/or under license. This content may not be used for any commercial use without express written permission of E-Code, and possibly other copyright and trademark owners. All other trademarks and copyrights are the property of their respective owners. 2015, E-Code 2

III. E-CODE SECURE WEB ACCESS SOLUTION Overview Online transactions is an essential part of todays live, that every moment is entering new fields and applications. With the launch of the initiatives towards e-government and e-commerce, the demand to secure and reliable web access is very important.some transactions are made for online payments and other for entertainment like games portals, which is less critical and sensitivity than financial transactions. Other actions such as logging to enterprise resources remotely are critical that a strict user identity must be proved. Most web sites and web applications depend on user name and passwords authentication, which is not a secure way for authentication. User password may be hacked and stolen through many ways such as; keystroke loggers, or brute force attacks, or even from the server side. Another issue with username/password credentials that user will not recognize a hacker has stolen the password and is using them. Another issue is that static username/password are cached in the web browser. This is extremely dangerous that hacker can attack the browser and retrieve these credentials or even another person can use them to login later from the same machine. Hacker Password Hacking Web Server User Masquerade attack is a common example of the hacker s activities in web services/applications that represents the problem. Hacker attacks the user machine and stoles the username/password credentials. Now the hacker uses these credential to access the web server simultaneously or later after user logs out. Money steal or publishing illegal and harmful content on behalf user is what the hacker can do now. E-Code Secure Web Access Solution provides a secure and reliable connection to websites and applications. Using hardware token (PKI/OTP) that holds the user s credentials is the basic idea of the 3

solution. Hardware devices is secure and cannot be copied. Also, when the token is lost user can take action to suspend the service or account related to that token. E-Code solution includes two alternatives: 1- PKI Based Secure Web Access. 2- OTP Based Secure Web Access These alternatives are described below with details about modules, features, and benefits. PKI Secure Web Access Description This solution is intended to provide a hardware authentication technique to web sites and web applications. In this solution, E-Code Smart Token is used to store the user certificate that will be the user credentials to access the website. The Secure Web Authentication uses SSL certificate installed on web server, and signed certificates installed on Smart token to establish a Secure Internet Connection between web browser and web site. In this case, the website uses https connection which is more secure a reliable than normal http connection. SSL Token Web Server Token CA Server Database Server Secure PKI Web Access Architecture As shown in the above figure, each user can connect to the web server and access the website/web application if and if only the user has smart token connected to the PC. This smart token is a secure storage for the user certificate which is signed from the same web server issuer. The user who doesn t hold the smart token or has a token with wrong certificate is unauthorized. The server identifies itself 4

to the callers through the SSL certificate. The SSL protocol requires user certificate from client side. These certificate will be verified at server side through integrity check and CRL validation. The CA server is the responsible for issuing certificates to the smart token. This CA also may issue the SSL certificate for the web server. Client Hello Server Hello Web Browser Key Exchange Server HTTP Get Data Transfer HTTPS Connection Flow The PKI based secure web access method uses different modules to complete the cycle of authentication. Initially, the website must have an SSL Certificate. Then the connection with the website will be changed to be https instead of normal http. The user must have a personal certificate issued and signed from the same issuer of the webserver SSL certificate. So that, a certificate authority system is an essential module of the system. CERTIFICATE AUTHORITY E-Code Certificate Authority (CA) is a desktop application that runs on all windows versions. All actions related to E-Code CA can be acquired through the application user interface. It requires no internet connection or any scripting experience to manage. E-Code CA user interface includes two main functionalities: CA operations and token management operations. E-Code CA provides all the actions related to certificate authority: certificate issuance, certificate management (export, import), certificate revocation, and backup. E-Code CA is managed by one system administrator using one token containing root certificate. Users who do not have that token can only export public certificates of the users in the database. This increases the security of the system as only one person is authorized to make changes to the CA. 5

E-Code CA supports certificate issuance according to the X.509 standard. Also, issued certificates can have any (key & extended key) usages. Certificate issuance require that the token or smart card is connected to the CA machine. No remote issuance is supported that the CA system is simplified. E-Code CA supports the certificate issuance hierarchy. This is done by issuing Root CA that issue subroots. These subroots will issue another subroots or personal certificates. This feature can be used to structure the enterprise in the certificate issuance process. 6

For secure web access, it is required to issue SSL certificate for the website/application. This is available using E-Code CA. Hence, personal certificate for the users and the web server certificate will be issued from E-Code CA. WEB SERVER INTEGRATION Integration with website s webserver to authenticate users using PKI certificate. E-Code integration is applicable for any web server that support SSL communication such as IIS and Apache. The integration work involves installing the SSL certificate on the server, trusting the root certificate at the server machine, modify the user authentication technique to use PKI certificates only. In cases, a developed code may be injected to force user login through certificates. SMART TOKEN To have the complete solution secure without any weak point, the user s personal certificate must be stored on a secure hardware device that is impossible to duplicate. Here comes the importance of the smart token module as it will be the user electronic identity. This token is protected with security PIN so that, only rightful owner can use. This PIN expires after number of wrong trials and token is locked. Thus, no worry about losing the token, as no one can use it except its owner. E-Code Smart Token (esign) is a security hardware device. It provides the digital signature and data encryption services. esign is offered in three hardware models, basic, standard and biometric. esign provides digital certificate generation and management, electronic signing and verification, data encryption and decryption. All secure operations are completely provided by the internal device hardware. esign complies with security standards for digital signature and data encryption. It supports PKCS, CSP, X509, SSL and PS/SC standards. Compliance with security standards allows the automatic integration with many applications, for example email clients, internet browsers, computer login and different network access services. esign protected by two and three factor authentication. Beside mandatory password authentication, it uniquely supported with accurate and reliable fingerprint identification system. E-Code CA features can divided into two categories: CA features and Token management features. 7

Benefits HIGH SECURITY A number of security mechanisms are employed, helping significantly to eliminate the risk of fraud, attacks and misuse from unauthorized individuals and hackers. The connection is the most secure internet connection SSL that guarantees at server and client sides required security level. Also, the user ID is stored on secure Hardware that cannot be duplicated. The hardware is protected by user PIN/Fingerprint to assure only the token owner will use it. EASY ADMINISTRATION E-Code PKI solution for web access provides easy and simple method to control the access to the website using Certificate Revocation List (CRL). CRL enables the admin to prevent a user from access the server temporarily or permanently. STANDARDS COMPLIED E-Code PKI web access solution supports and the X.509 standards and CRL standards version 3.0. Also, supports PKCS#11 standard for hardware security devices. USABILITY E-Code Secure Web Access Solution is easy to deploy and use with any website or any web application. COMPATIBILITY The PKI solution is compatible with all applications and environment that makes it suitable and easy to use for any case. The solution is compatible with web servers IIS and Apache. Also, the solution is compatible with Web Browsers Internet Explorer, Chrome, and Mozilla Firefox. The solution can be used with different Operating Systems as E-Code Smart Token is compatible with Windows (32/64 Bit) 2K, XP, 2003, Vista, 7, 8, 2008 and Linux (32 Bit). 8

OTP Secure Web Access Description One-Time Password Today is one of simplest and most popular forms of two-factor authentication for securing network access. For example, in large organizations and enterprises, a VPN or a website access often requires One-Time Password tokens for user authentication. One-Time Passwords are often preferred because an air-gap device does not require the installation of any client desktop software drivers on the user machine, and therefore allowing them to support multiple machines including home computers, kiosks, and personal digital assistants. OTP RADIUS system provides solution for user authentication using the one time password OTP method with the back end system at the server side. It allows the end user to perform his authentication through one click/touch. The user requests an access to a service, the system then sends an authentication request to the OTP server through the radius protocol. The OTP server responses with success or failure. Finally, the web application service permits the user to access it or prevents him. 874697 PC + OTP Device to generate OTP Operator Administrator 485687 Smart Phone Internet 766230 Load Balancer Firewall Web Server OTP Radius Server PC + Smart phone to generate OTP 454432 Tablet Users Data Base or LDAP Server The OTP RADIUS system contains different functional components with different administration interfaces. Each component can be managed separately through its interface. On the other hand the system supports different operating systems, hence it supports end users who use multiple access devices. Like PCs, Laptops, Tablets and smart phones. 9

End User OTP (SW/HW Tokens) OTP Radius Server Radius Protocol Web Application Server Users DB or LDAP Server The system can be described as four entities:- 1. OTP RADIUS server. 2. OTP Client (OTP Generator). 3. Web application (Web application) NAS. 4. Users Database. OTP RADIUS SERVER This module is the core component of the OTP RADIUS system, it provides high performance authentication processes via secure communication protocol, the Remote Authentication Dial-in User Service (RADIUS protocol). The OTP server application receives users credentials, communicates with the Database/LDAP server to authenticate the user. And finally, it responds to the web server with accept or reject for the user access request. 10

The server receives the access-request packets from the web application server (Radius Client NAS), including the parameters of the user and recent generated OTP on his device/application. The server checks the received information are they correct or not, using the users data base server applying an authentication scheme, like PAP and CHAP. It verifies the incoming OTP with the internally generated OTP. OTP generators in both server/client sides must have the same parameters and state. RADIUS protocol can be explained as following: If the match succeeded, an Access-Accept packet is sent by the OTP server back to the web application server, which then permits the end user access the web application. If the match failed, an Access-Reject packet is sent back to the application server, which then unconditionally prevents the end user from accessing the web application. Also, the OTP server may respond to the to the Access-Request packet by an Access- Challenge Packet. This is done in more complex authentication dialogs, where a secure session is opened between the OTP server and the end user in a manner that the sent credentials are being hidden from the web application server (Radius Client NAS). USERS DATABASE SERVER One of the major components in the OTP RADIUS system is the storage system which holds the system users with their parameters. This storage can be a database or LDAP server. The database or the LDAP contains his username, recent OTP generated, seed number and another parameters related to him. The OTP RADIUS server can be integrated with different storages, either LDAP directories or SQL databases. WEB APPLICATION SERVER (RADIUS CLIENT) The frontend for the OTP RADIUS system is the Website that the end user sees and interact directly. In the Radius environment it is called NAS (Network Access Servers). NAS acts as the only gateway to access the protected OTP server. Radius protocol establishes any connection with only NAS. The Web application NAS connects to the OTP server, passing the credentials of a user. The OTP server then searches the user through its DB or LDAP server and notifies the NAS whether it grants the user to access its services or not. 11

OTP authentication is just sending username and password using appropriate protocol like CHAP and receiving the response. This requires change the default authentication mechanism of the application server to the OTP mechanism. Configuration should be applied to the application server to use OTP mechanism. This might require different code to be integrated with the application server. Web programming will be used to apply this configuration to construct secure communication with OTP server. OTP CLIENT (OTP GENERATOR) OTP client is the two factor authentication module, which the client uses to generate the OTP required to access the service. The OTP generator can be either software token installed on any portable device, or hardware token with by the user that generates OTP only. Hardware OTP Token The above figure shows the Bio-OTP smart card generator. This card uses fingerprint authentication to recognize its owner. Then, after successful user fingerprint authentication, the OTP is generated on the card display. Software OTP Token OTP RADIUS system supports hardware and software tokens with different One-Time Password algorithms like TOTP, HOTP and MOTP. 12

HOTP: HMAC algorithm generates the OTP based on a static symmetric key and increasing counter value. TOTP: Time based OTP algorithm uses the current time and a shared secret key to generate the OTP. MOTP: Mobile-OTP algorithm is based on time synchronous one time passwords. E-Code will provide software OTP Generator with the system. The software token will provide the different algorithms discussed before. It also will be two factor authentication solution. The software OTP Generator token will provide the different algorithms discussed before. It also will be two-factor authentication solution. E-Code will provide its customized software token to be used on smart phone or any portable device. This software token will be two factor authentication based. User will enter the PIN that will generate OTP to be used for login. E-Code OTP client generator also can be used with hardware OTP token. This hardware OTP token uses on board algorithm to generate OTP. This hardware token is synchronized with the server so that each OTP can be verified at the server. Benefits SECURITY OTP RADIUS system allows the user information to be stored on one host, minimizing the risk of security loopholes. Two reasons cause this ultimate security. The first is the use of the OTP authentication technology. And the second is the strong secure communication between the system entities, which achieved by the Radius protocol. Hence two major security technologies are integrated together to produce the OTP Radius System. The solution solves the password caching problem. EASE OF USE One click/touch; one response. The user has no need to identify himself through multiple steps, just submit his username and OTP and make one click/touch, where the web application passes the submitted credentials and identities, return back with respond of Accept or Reject. The OTP solution requires no driver to be installed at the user side. FLEXIBILITY The web application server is not indeed the targeted NAS, because NAS is always can be any electronic device that have an interface with a computer. So, any device can use the OTP RADIUS server in users authentication. Also, integration with different databases or LDAP directories is provided by the OTP RADIUS system. HIGH PERFORMANCE 13

The OTP server responses quickly to authentication requests received from applications servers. HIGH AVAILABILITY The OTP server is more reliable for long term operation. MAINTAINABILITY Using the available integrated QA tests to troubleshoot and maintain the OTP server components. Also, with existing testing applications to test the OTP server. Also, the ability to resynchronize token during authentication. EASY ADMINISTRATION The solution does not require much skill or experience for the system admin. All administration actions are done easily through the backend interface. CERTIFICATION OTP RADIUS server is OATH certified for both TOTP and HOTP tokens. Also, PSKC encrypted files are supported. 14

I. ABOUT E-CODE E-Code is a leading progressive, innovative company in the field of information security providing technology, state of the art solutions, consulting, integration and testing services to safeguard the information assets, identities and the supporting infrastructure against unauthorized use. Our high quality service and excellent benefits and the ability of being reliable and responsible put us as a leader on the top of digital security companies. E-Code provides unique products and solutions, which cover many security areas fulfilling customers need in different market sectors. We provide a set of products and solutions covering the following areas: software protection, data encryption, security hardware, digital signature, secure identification and authentication, secure online distribution of digital Contents. We supports different market sectors like; governmental institutes, organizations, banks, software development companies, multimedia software and game producers, media and ebooks publishers and individual users. Dongle Fingerprint Smart Token Smart Card Fingerprint Smart OTP Card Smart Token Fingerprint OTP Token Secure SD Card Secure Flash with Fingerprint Website Email www.e-code.com info@e-code.com, support@e-code.com, sales@e-code.com Telephone Fax 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information