Strong Authentication in details Kuznetsov Alexander Technical Account Manager
VASCO Core Activities
Overview DIGIPASS DIGIPASS Go Range DIGIPASS E-signature DIGIPASS Reader DIGIPASS for Mobile DIGIPASS Nano Virtual DIGIPASS DIGIPASS for Web DIGIPASS PKI DIGIPASS for Windows 3
Security Level Evolution of Authentication Devices WYSIWYS Keyloggers Virtual keyboards Static Passwords Time-based OTP Phishing Pharming Counter-based OTP Electronic signature MitM Meaningful user prompts MitM with Social Engineering Sophistication Level of Attacks Federal Reserve Briefing 4
Evolution of Authentication platforms Security Cost Ease of Use Flexibility 5
VASCO Software DIGIPASS DIGIPASS Go Range DIGIPASS E-signature DIGIPASS Reader DIGIPASS for Mobile DIGIPASS Nano Virtual DIGIPASS DIGIPASS for Web DIGIPASS PKI DIGIPASS for Windows 6
Market leader: Digipass for Mobile 4.0 Dedicated authentication application in your mobile device Focus: Strong Security! Weak PIN detection, Device Binding, Time+Event Based
DP 4 Mobile: why? Easy to integrate Included web samples Easy to deploy Three provisioning options Easy to use Intuitive graphical user interface Easy to customize Use your own colors and logos for Mobile 8
Supported Mobile Platforms Android OS 2.2 and later ios 4.1 and later BlackBerry OS 5.0 and later MIDP2 compatible devices Windows Mobile / Phone 9
DP 4 Mobile Editions Standard Fully customizable Customer responsible for provisioning process Enterprise Not customizable Only authentication 3DES, Time Based, Decimal 2 VASCO responsible for provisioning process 10
Step 1: Software Package Download Enterprise Server HTTP download + HTTP download + Local Install + HTTP download + Local Install + Local Install 11
Step 2: Activation Modes Offline activation QR code activation Online activation 12
Offline Activation DIGIPASS Serial Number Activation Code (21 Digits) Reactivation Password + Local Password DIGIPASS Serial Number Activation Code Reactivation Password 13
QR Activation 14
Online Activation Identifier + Autorization Code + Nonce 3 4 AAL2GenActivationCodeXErc AAL2GenActivationDataRndKey Encrypted Full Activation Data = (Encrypted with activation password) Static Vector + Serial Number Suffix + Activation Code + Reactivation Counter + Nonce 1 Identifier Authorization Code Activation Password 2 Generate Nonce 5 Activate with activation password 15
Step 3: OTP Post Activation Response 2 1 OTP AAL2VerifyPassword 16
Post Activation Device Binding Response 3 2 Serial Number + Derivation Code AAL2DeriveTokenBlobs 1 Platform Finger Print Can also be done offline 17
Full Picture 18
DP4Mobile Challenge/Response
DP4Mobile - QR Challenge/Response
Customization: Mobile Provisioning 21
Customization: Post Activation 22
Customization: Mobile Settings 23
Customization: Multilanguage One XML file per language \CustomizationTool\input\xml Can also be used for #looks 24
Test your Digipass for Mobile Already now, go get your DIGIPASS at: http://dp4mobile.demo.vasco.com/dp4mobile/
DIGIPASS SDK: Software engine DIGIPASS SDK J2ME (Java, BlackBerry) iphone OS (Objective C) WindowsMobile 5.0+ / Windows Phone Symbian OS (2 nd to 5 th editions) Android Integration partners Clear2pay, Monext, Lemonway mfoundry FundTech Banking applications HSBC GarantiBank Alfa-Bank 26
DIGIPASS: The building blocks A Generated code Secret That changes DIGIPASS Time Event Challenge User Interface Is Protected Encryption Algorithm Storage Parameters Secret Encryption Algorithm Time Human Readable Truncation By VASCO 27
The same concept on a different platform DIGIPASS User Encryption Interface Algorithm Storage Parameters DIGIPASS User Interface User Encryption Interface Algorithm Communication Interface Storage Parameters Storage Platform X Static Vector Secret Core Secret Dynamic Vector Time Shift Time Time DIGIPASS SDK Time Application By VASCO By VASCO 28
Software DIGIPASS: Secure Platform 29
Software DIGIPASS: Platform Scoring Jail broken? Infected? Location? Behavior? 30
Software DIGIPASS: Application Security True Random Key generation Secure Key provisioning Application Signing & Obfuscation Slow Encryption Function Device Binding External Audit 31
Software DIGIPASS: Native Integration 32
DIGIPASS NANO: Secure Component 33
Digipass Nano More Security More Convenience Test your DPNANO sample at SIM Toolkitmenu http://dpnano.demo.vasco.com 34
Intel IPT: Integrated DIGIPASS in your PC Federal Reserve Briefing 35
Intel IPT drivers Hardware security level Regular password logon experience No shipping! Central provisioning Large penetration potential 36
Digipass for Web + Intel IPT DP4Web applet: Activation through VASCO Generate OTP Generate e-signature Supported by all VASCO server solutions 37
VASCO Server Side offering 38
VASCO Identikey Server Single point of Authentication Custom web applications Hardware Software Citrix, OWA, etc. Smart Cards VPN, SSLVPN, Firewall, etc.
Functional architecture Front-End Integration Customer Web Applications Web-based Administration User & DIGIPASS Administration Reporting Command Line TCL Apache Tomcat Webserver IIS Web Applications SEAL SOAP SOAP SEAL Back-End Authentication RADIUS Client RADIUS SEAL RADIUS LDAP via Windows API via Custom API Domain Login PostgreSQL ODBC LDAP/LDAPS AD Active Directory Users & Computers Database Directory
Identikey Server features Authentication and e-signature validation Server Strong authentication validation Transaction data signing e-signature DIGIPASS Family ready (including SMS) Policy based authentication Different policy for each application Automatic creation of users Auto-assigning of the DIGIPASS to the User Easy to Integrate in your front-end application RADIUS protocol (Authentication) SOAP protocol Web-services SAML protocol Federation authentication High-availability and scalability model Load balancing (primary and backup servers) DB availability control service 41
Identikey Server features Centralized Web-based administration interface DIGIPASS & User management Domains & Organizational units Policy management Application management System management Delegated administration > 80 Different administrative priveleges Reporting capabilities 28 standard reports available Custom reports Admin access can be protected by OTP System and performance monitoring capabilities Fully PCI-DSS compliant 42
DIGIPASS Authentication for Windows Logon DAWL features: Offline authentication (up to 30 days) Force OTP Password Randomization PSM Password Synchronization Manager DCR Dynamic Client Registration DNS reverse Lookup Terminal Server authentication `
DAWL Architecture + PSM Windows SEAL Windows LDAP ` SEAL-SSL
What is DIGIPASS as a Service
Supported Types of Authenticators
API vs Web Interface
Availability
MYDIGIPASS.COM 49
MDP: concept Front-end End-user Website 1 2 3 Validation Back-end Validation ok DIGIPASS as a Service 50
MDP: Launch pad & Marketplace 51
MDP: available today 3 types of DIGIPASS Hardware DP GO6 Software Mobile DP Software DP4Web with Intel IPT QR-code autologin 52
DEMO List of valid time-based OTP s Interval between 2 successive time units Additional digits List of valid counter-based OTP s Speeds up verification of an OTP Generated by host Optional Randomly Used for first OTP validation Sent to user Time granularity Standard 32 seconds
Thank You Alex Kuznetsov Technical Account Manager EE-CIS aku@vasco.com
Copyright & Trademarks Copyright 2011 VASCO Data Security. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks VASCO, VACMAN, IDENTIKEY, axsguard, DIGIPASS and the logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. 55