Visolve – Open Source Solutions

Visolve – Securing Digital Assets

 Contents
 Security Overview
 Security Concerns
 Security Needs
 Technical Overview
 Two – Factor Authentication System
 OTP – One Time Password Solutions
 OATH – Open Standards for OTP
Security Layers - Challenges
 Authentication  Users
 Ability to Validate  Profiling
 Proving Identity  Security Policy
 Authorization  User Rights
 Access to Network  Access Levels
 Allowing to  Security Platform
Transact  Applications
 Accounting Interface
 Management  Security Device
 Auditing
Security Threats & Business Needs
 Vulnerabilities
 Cyber Crime – Identity theft and Fraud
 Phishing & Pharming attacks becoming more
sophisticated and malicious
 Business needs
 Enhanced Security: Stronger user authentication
– Two Factor authentication System
 Cost effective Password & Identity Management
 Delivery Mechanism – Convenience of carrying
security devices and ease of use
Power of One-Time Password (OTP)
 OTP deployment makes full life-cycle
management easy & cost effective
 Flexibility and availability of various OTP
methods – time synchronized, event
synchronized or challenge response
 Password generated valid for single use
 Enhanced security environment for users to
authenticate and transact on web
 Centralized repository of User profiles and
credentials
Visolve – Open Standards for OTP
 Today, with the exception of RADIUS,
integration of OTPs can be achieved only
through costly proprietary interfaces &
protocols
 Can leverage on existing VPN/Wireless LAN
infrastructure
 Low cost/no vendor lock alternative to
proprietary solutions
 Easily added to existing web server
password validation infrastructure
 Token based solution now inexpensive for
wider B2C deployments
Technology Overview

HP – UX AAA Server and OATH:

Standard Based Two – Factor
Authentication
Technology - Framework
 Two – Factor Authentication
 Authentication using two independent method – typically
something you have (device) and something you know
(password)
 One – Time Password
 Password valid for single use
 Two-Party Model: Client and Server use OTP software or
hardware to generate and validate password
 Two-Channel Model: High value transaction can be
authenticated by requiring an OTP being delivered through
secondary channel vis email or SMS
 OATH
 Open standards for OTP generation
http://openauthentication.org sequence based algorithm
 Supported by all of the token device vendors
Advantages of OATH vs. Proprietary OTP
 Low Cost
 Sequence based algorithm allows low
manufacturing cost for token device Easy on
 No Royalty Programs Cost
 Leverage in both price-points and form-
factors
Easy to
 Wide variety of user deployment models Implement
 Standalone token device can be built into
consumer electronics
Easy to
 Secondary channel solutions –SMS
End Users
 No Vendor Lock
 Client, Server, user management Easy to
components can be purchased separately
 Multiple OTP clients can be concurrently Manage
supported from the same authentication
server
OATH/OTP Authentication Opportunities
 User Tokens
 Low priced tokens from multiple vendors User – Base
 Soft-tokens that can run on java enabled device-
mobile phones
 SMS delivery of OTP for non java enabled devices Enterprise
 Mobile makes ideal OTP device
 Ubiquitous Government
 Leverage applications provisioning to manage
OTP soft-token Medical
 Addressing Consumer issue of handling multiple
hard tokens
 Opportunity for OTP authentication as Finance
telecom service
 Consumer authenticates to bank/retailer Web-
 Retailer authenticates password locally Merchants
 Forward OTP to Service Provider
 OATH/OTP Vs. Other Major Authentication
Technologies
LOWER Cost/Complexity/Protection HIGHER
Method Password OTP + Password Digital Certificates/PKI

Advantages Widely used and supported Two-factor Bi-directional authentication

by the largest number of authentication Can provide two-factor.
applications compatible with Non-repudiation
Technology easily password based
understood by users infrastructure: zero
client footprint option
Disadvantages Relies on human protection Requires possession of Certificate management cost can be
and management of the OTP generation prohibitive for large user base.
secret. software/hardware or Heavy footprint to manage on client.
access to a secondary
Not compatible with small devices.
channel for OTP
transmission Requires distribution of
certificate/smart card to client.

Key Brute force Man-in-the- User override of warnings

Vulnerabilities Man-in-the-middle/client middle/client insertion Client insertion (reduced)
insertion Phishing (reduced to
Phishing one time action)
Over the shoulder
Keystroke loggers

Applicability Lower risk environments B2C Commerce Highly secure environments

Legacy environments Enterprise Security Monetary or legal transactions where
No network usage or (VPN) non-repudiation is a required feature
protected network usage Environments not suited Environments where mutual
for PKI (e.g. password authentication is required.
based application
infrastructure)

Customer slide presentation from HP

 OATH Soft Tokens: Three Tier- Service
Provider Model
1. Provisioning 2. Local Authentication
Database Database

HTTPS
SMS

Web
based
User Key and sequence number are
Mgt
generated by service provider
User connects to web retail
Key and OATH Applet are delivered presence via browser.
to user device by client provisioning Password verified locally
service.

Database
3. OTP Authentication 4. Multiple Retailers Database

HTTPS RADIUS

HP UX HP UX
AAA
AAA

User provides OTP from cell Multiple retailers share the same OTP
phone. Passed to Service HTTPS service, while locally maintaining
provider for verification password authentication

Customer slide presentation from HP

OATH: Provisioning Life Cycle: Token Cards
1. New Installation 2. New User Database
Database

Keys
User Keys

Serial# Key_______
Web based
A123 34334343 Web based
Mgt
Mgt
A124 34555555

Serial number key and sequence number 0 are assigned

Supplier delivers tokens and key file. Admin tool imports to user entry. Token device is delivered to user.
serial number/key pairs into secure storage

3. Help Desk Database 4. Deactivate User

Database

User

User
Web based
Web based
Mgt
Mgt

User entry can be resynchronized with user’s token User entry locked. Token device may be assigned to
device if needed. another user

Customer slide presentation from HP

 Basic Password Authentication Sequence

Adding Two Factor Authentication

Authenticators
HP UX
Supplicant AAA
Database

123456

1. User 2. Protocol 3. Web Server, VPN 4. Protocol 5. AAA Server

name/password Gateway, Firewall,
VPN: L2TP/ RADIUS Authenticates password
entered on client WLAN Acess Point,
IPSec
device Unix (login/SSH,…) Tracks and logs user
LAN: 802.1x etc session
OTP appended to
password field Web: HTTPS Authenticate
(separate prompt password locally or OTP validated,
or combined with …Etc. token sequence
forward to AAA
existing password number updated
input) in Database)

Existing password based single factor authentication infrastructure.

Two factor authentication can be added with minimal disruption. Zero client
software changes possible.

Customer slide presentation from HP

HP-UX AAA Server Overview
 Purpose:
 Centralized service to provide
authentication and recording of user
access to network resources
 Control access to wireless LANs, VPN
gateways, http servers, and other Database
RADIUS enabled devices or … User
applications
 Provides access and accounting
control for greater security and
compliance

 Advantages:
 Based on widely supported RADIUS hp procurve 10/100T switch408 J4097B

and Extensible Authentication Protocol

standards 1.Access Points
 High performance/high availability 2.VPN Switches
features for enterprise and service
provide deployments 3.Firewalls
 Supports a wide variety of HP UX
Web
authentication methods including AAA
password, token cards and digital server
certificates
 Highly customizable, supports ODBC
compliant databases and LDAP
compliant directories
 Included with HP-UX11i

Customer slide presentation from HP

OATH: Higher level HMAC-based One
Time Password Algorithm (HOTP)
Generate OTP

Shared Secret Run HMAC Algorithm and Truncate

(20 bytes)
OTP (6 or 8
HMAC-SHA1 Truncate
Digits)

Sequence
Counter (8
bytes)

Validate OTP
Password + OTP Password + OTP
AAA Shared Secret
Authenticator Sequence
Server
Counter +1

Shared Secret
Sequence
Counter

Customer slide presentation from HP

Visolve – Fortune 100 Clients

 SMB’s

 DTS - Largest ISP in Madagascar

 Several K-12 School Districts
 ISPs in US and Canada
 City of St.Paul, MN
 Blueprint Data, FL
 Fanshawe College, London
 Genesis Technology, Taiwan
 Axseed – Japan
THANK YOU