Upload
andris-soroka
View
520
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Presentation from Riga, Latvia. "Data Security Solutions" Ltd. ITSEC Conference.
Citation preview
© 2012 - VASCO® Data Security
Strong Authentication … … in details
Kuznetsov Alexander Technical Account Manager
© 2012 - VASCO® Data Security
VASCO Core Activities
© 2012 - VASCO® Data Security
3
DIGIPASS Go Range
DIGIPASS for Mobile
DIGIPASS for Web
DIGIPASS E-signature DIGIPASS Reader
DIGIPASS Nano Virtual DIGIPASS
DIGIPASS PKI DIGIPASS for Windows
Overview DIGIPASS
© 2012 - VASCO® Data Security
Federal Reserve Briefing 4
Evolution of Authentication Devices S
ec
uri
ty L
ev
el
Virtual
keyboards
Time-based
OTP Phishing
Pharming
Counter-based
OTP
Meaningful
user prompts
WYSIWYS
MitM with Social Engineering
Sophistication Level of Attacks
Electronic
signature
MitM
Keyloggers
Static
Passwords
© 2012 - VASCO® Data Security
Evolution of Authentication platforms
5
Security
Ease
of
Use
Flexibility
Cost
© 2012 - VASCO® Data Security
6
DIGIPASS Go Range
DIGIPASS for Mobile
DIGIPASS for Web
DIGIPASS E-signature DIGIPASS Reader
DIGIPASS Nano Virtual DIGIPASS
DIGIPASS PKI DIGIPASS for Windows
VASCO Software DIGIPASS
© 2012 - VASCO® Data Security
Market leader: Digipass for Mobile 4.0
Focus: Strong Security!
Weak PIN detection, Device Binding, Time+Event Based
Dedicated authentication application in your mobile device
© 2012 - VASCO® Data Security
DP 4 Mobile: why?
Easy to integrate
Included web samples
Easy to deploy
Three provisioning options
Easy to use
Intuitive graphical user interface
Easy to customize
Use your own colors and logos
for Mobile
8
© 2012 - VASCO® Data Security
Supported Mobile Platforms
Android OS 2.2 and later
iOS 4.1 and later
BlackBerry OS 5.0 and later
MIDP2 compatible devices
Windows Mobile / Phone
9
© 2012 - VASCO® Data Security
DP 4 Mobile Editions
Standard
Fully customizable
Customer responsible for provisioning process
Enterprise
Not customizable
Only authentication
3DES, Time Based, Decimal 2
VASCO responsible for provisioning process
10
© 2012 - VASCO® Data Security
Step 1: Software Package Download
Enterprise Server
+ HTTP download
+ Local Install
+ HTTP download
+ Local Install
HTTP download
+ Local Install
11
© 2012 - VASCO® Data Security
Step 2: Activation Modes
Offline activation
QR code activation
Online activation
12
© 2012 - VASCO® Data Security
Offline Activation
DIGIPASS Serial Number
Activation Code
Reactivation Password
DIGIPASS Serial Number
Activation Code (21 Digits)
Reactivation Password
+ Local Password
13
© 2012 - VASCO® Data Security
QR Activation
14
© 2012 - VASCO® Data Security
Online Activation
Identifier
Authorization Code
Activation Password
AAL2GenActivationCodeXErc
Encrypted Full Activation Data =
(Encrypted with activation password)
Static Vector
+ Serial Number Suffix
+ Activation Code
+ Reactivation Counter
+ Nonce
3 4
Identifier
+ Autorization Code
+ Nonce
1
AAL2GenActivationDataRndKey
2 Generate Nonce
5 Activate with
activation
password
15
© 2012 - VASCO® Data Security
AAL2VerifyPassword
Step 3: OTP Post Activation
2 1
Response
OTP
16
© 2012 - VASCO® Data Security
Post Activation Device Binding
AAL2DeriveTokenBlobs
3 2
Response
Serial Number
+ Derivation Code
Platform
Finger
1
17
Can also be done offline
© 2012 - VASCO® Data Security
Full Picture
18
© 2012 - VASCO® Data Security
DP4Mobile – Challenge/Response
© 2012 - VASCO® Data Security
DP4Mobile - QR Challenge/Response
© 2012 - VASCO® Data Security
Customization: Mobile Provisioning
…
21
© 2012 - VASCO® Data Security
Customization: Post Activation
22
© 2012 - VASCO® Data Security
Customization: Mobile Settings
23
© 2012 - VASCO® Data Security
Customization: Multilanguage
One XML file per language
\CustomizationTool\input\xml
Can also be used for #looks
24
© 2012 - VASCO® Data Security
Test your Digipass for Mobile
Already now, go get your DIGIPASS at:
http://dp4mobile.demo.vasco.com/dp4mobile/
© 2012 - VASCO® Data Security
DIGIPASS SDK: Software engine
DIGIPASS SDK
J2ME (Java, BlackBerry)
iPhone OS (Objective C)
WindowsMobile 5.0+ / Windows Phone
Symbian OS (2nd to 5th editions)
Android
Integration partners
Clear2pay, Monext, Lemonway
mFoundry
FundTech …
Banking applications
HSBC
GarantiBank
Alfa-Bank
26
© 2012 - VASCO® Data Security
DIGIPASS: The building blocks
27
DIGIPASS
Encryption
Algorithm
Storage
By VASCO
A Generated code
Secret
Secret
That changes
Time Event Challenge User
Interface
Time
Is Protected
Encryption Algorithm
Human Readable
Truncation
Parameters
© 2012 - VASCO® Data Security
DIGIPASS
Encryption
Algorithm
Storage User
Interface
Time
By VASCO
Parameters
Secret
DIGIPASS
Encryption
Algorithm
Storage User
Interface
Time
By VASCO
Parameters
Secret
Platform
X
Application
Core
The same concept on a different platform
28
Communication
Interface
Storage
Time
Time Shift
Encryption
Algorithm
Storage
Secret
Parameters Static Vector
Dynamic Vector
User
Interface
DIGIPASS
SDK
User
Interface
Time
© 2012 - VASCO® Data Security
Software DIGIPASS: Secure Platform
29
© 2012 - VASCO® Data Security
Software DIGIPASS: Platform Scoring
30
Jail broken?
Infected?
Location?
Behavior?
© 2012 - VASCO® Data Security
Software DIGIPASS: Application Security
31
Device Binding
Application Signing & Obfuscation
External Audit
True Random Key generation
Slow Encryption Function
Secure Key provisioning
© 2012 - VASCO® Data Security
Software DIGIPASS: Native Integration
32
© 2012 - VASCO® Data Security
DIGIPASS NANO: Secure Component
33
© 2012 - VASCO® Data Security
Digipass Nano
34
Test your DPNANO sample at
http://dpnano.demo.vasco.com
More Security
More Convenience
SIM Toolkitmenu
© 2012 - VASCO® Data Security
Intel IPT: Integrated DIGIPASS in your PC
35 Federal Reserve Briefing
© 2012 - VASCO® Data Security
Intel IPT drivers
Hardware security level
Regular password logon experience
No shipping!
Central provisioning
Large penetration potential
36
© 2012 - VASCO® Data Security
Digipass for Web + Intel IPT
37
DP4Web applet:
• Activation through VASCO
• Generate OTP
• Generate e-signature
• Supported by all VASCO server solutions
© 2012 - VASCO® Data Security
VASCO Server Side offering
38
© 2012 - VASCO® Data Security
VASCO Identikey Server
Single point of Authentication
Hardware
Software
Smart
Cards
Custom web applications
Citrix, OWA, etc.
VPN, SSLVPN, Firewall, etc.
© 2012 - VASCO® Data Security
Functional architecture
Front-End Integration
PostgreSQL
Back-End Authentication
Web-based Administration • User & DIGIPASS
Administration
• Reporting
SOAP
SEAL
RADIUS
SOAP IIS Web Applications
Customer Web Applications
RADIUS Client RADIUS LDAP via Windows API via Custom API
Database
Apache Tomcat Webserver
ODBC
Directory
AD
LDAP/LDAPS
Command Line TCL
Active Directory Users & Computers
SEAL
Domain Login
SEAL
© 2012 - VASCO® Data Security
Identikey Server features
Authentication and e-signature validation Server
Strong authentication validation
Transaction data signing – e-Signature
DIGIPASS Family ready (including SMS)
Policy based authentication
Different policy for each application
Automatic creation of users
Auto-assigning of the DIGIPASS to the User
Easy to Integrate in your front-end application
RADIUS protocol (Authentication)
SOAP protocol – Web-services
SAML protocol – Federation authentication
High-availability and scalability model
Load balancing (primary and backup servers)
DB availability control service
41
© 2012 - VASCO® Data Security
Identikey Server features
Centralized Web-based administration interface
DIGIPASS & User management
Domains & Organizational units
Policy management
Application management
System management
Delegated administration
> 80 Different administrative priveleges
Reporting capabilities
28 standard reports available
Custom reports
Admin access can be protected by OTP
System and performance monitoring capabilities
Fully PCI-DSS compliant
42
© 2012 - VASCO® Data Security
DIGIPASS Authentication for Windows Logon
• DAWL features:
• Offline authentication (up to 30 days)
• Force OTP
• Password Randomization
• PSM – Password Synchronization Manager
• DCR – Dynamic Client Registration
• DNS reverse Lookup
• Terminal Server authentication
`
© 2012 - VASCO® Data Security
`
Windows
LDAP
SEAL-SSL
Windows
SEAL
+ PSM
DAWL – Architecture
© 2012 - VASCO® Data Security
What is DIGIPASS as a Service
© 2012 - VASCO® Data Security
Supported Types of Authenticators
© 2012 - VASCO® Data Security
API vs Web Interface
© 2012 - VASCO® Data Security
Availability
© 2012 - VASCO® Data Security
MYDIGIPASS.COM
49
© 2012 - VASCO® Data Security
MDP: concept
50
End-user Website
Validation ok
Validation
DIGIPASS as a
Service
Front-end
Back-end
1 2
3
© 2012 - VASCO® Data Security
MDP: Launch pad & Marketplace
51
© 2012 - VASCO® Data Security
MDP: available today
3 types of DIGIPASS Hardware DP GO6
Software Mobile DP
Software DP4Web with Intel IPT
QR-code autologin
52
© 2012 - VASCO® Data Security
DEMO
List of valid time-based OTP’s
Additional digits
Speeds up verification of an OTP
Optional
Used for first OTP validation
Time granularity Standard 32 seconds
Interval between 2 successive time
units
List of valid counter-based OTP’s
Generated by host
Randomly
Sent to user
© 2012 - VASCO® Data Security
Thank You
Alex Kuznetsov Technical Account Manager EE-CIS
© 2012 - VASCO® Data Security
Copyright
2011 VASCO Data Security. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of VASCO Data
Security.
Trademarks
VASCO®, VACMAN®, IDENTIKEY®, aXsGUARD®, DIGIPASS® and the ®
logo are registered or unregistered trademarks of VASCO Data Security, Inc.
and/or VASCO Data Security International GmbH in the U.S. and other countries
Disclaimer of Warranties and Limitations of Liabilities
This Report is provided on an 'as is' basis, without any other warranties, or
conditions.
Copyright & Trademarks
55