DSS ITSEC Conference 2012 - VASCO - Tech 2.0

1,147 views

Published on

Presentation from Riga, Latvia. "Data Security Solutions" Ltd. ITSEC Conference.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,147
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DSS ITSEC Conference 2012 - VASCO - Tech 2.0

  1. 1. Strong Authentication … … in details Kuznetsov Alexander Technical Account Manager© 2012 - VASCO® Data Security
  2. 2. VASCO Core Activities© 2012 - VASCO® Data Security
  3. 3. Overview DIGIPASS DIGIPASS Go Range DIGIPASS E-signature DIGIPASS Reader DIGIPASS for Mobile DIGIPASS Nano Virtual DIGIPASS DIGIPASS for Web DIGIPASS PKI DIGIPASS for Windows© 2012 - VASCO® Data Security 3
  4. 4. Evolution of Authentication DevicesSecurity Level WYSIWYS Meaningful user prompts Electronic MitM with Social Engineering signature MitM Time-based OTP Phishing Pharming Keyloggers Virtual keyboards Static Counter-based Passwords OTP Sophistication Level of Attacks © 2012 - VASCO® Data Security Federal Reserve Briefing 4
  5. 5. Evolution of Authentication platforms Security Ease Cost of Use Flexibility© 2012 - VASCO® Data Security 5
  6. 6. VASCO Software DIGIPASS DIGIPASS Go Range DIGIPASS E-signature DIGIPASS Reader DIGIPASS for Mobile DIGIPASS Nano Virtual DIGIPASS DIGIPASS for Web DIGIPASS PKI DIGIPASS for Windows© 2012 - VASCO® Data Security 6
  7. 7. Market leader: Digipass for Mobile 4.0Dedicated authentication application in your mobile device Focus: Strong Security! Weak PIN detection, Device Binding, Time+Event Based© 2012 - VASCO® Data Security
  8. 8. DP 4 Mobile: why?  Easy to integrate  Included web samples  Easy to deploy  Three provisioning options  Easy to use  Intuitive graphical user interface  Easy to customize  Use your own colors and logos for Mobile© 2012 - VASCO® Data Security 8
  9. 9. Supported Mobile Platforms  Android OS 2.2 and later  iOS 4.1 and later  BlackBerry OS 5.0 and later  MIDP2 compatible devices  Windows Mobile / Phone© 2012 - VASCO® Data Security 9
  10. 10. DP 4 Mobile Editions  Standard  Fully customizable  Customer responsible for provisioning process  Enterprise  Not customizable  Only authentication  3DES, Time Based, Decimal 2  VASCO responsible for provisioning process© 2012 - VASCO® Data Security 10
  11. 11. Step 1: Software Package Download Enterprise Server HTTP download + HTTP download + HTTP download + Local Install + Local Install + Local Install© 2012 - VASCO® Data Security 11
  12. 12. Step 2: Activation Modes  Offline activation  QR code activation  Online activation© 2012 - VASCO® Data Security 12
  13. 13. Offline Activation DIGIPASS Serial Number Activation Code (21 Digits) Reactivation Password + Local PasswordDIGIPASS Serial NumberActivation CodeReactivation Password © 2012 - VASCO® Data Security 13
  14. 14. QR Activation© 2012 - VASCO® Data Security 14
  15. 15. Online Activation Identifier + Autorization Code + Nonce 3 4 Encrypted Full Activation Data = (Encrypted with activation password) AAL2GenActivationCodeXErc Static VectorAAL2GenActivationDataRndKey + Serial Number Suffix + Activation Code + Reactivation Counter + Nonce 1 2 Generate Nonce Identifier Authorization Code Activate with Activation Password 5 activation password © 2012 - VASCO® Data Security 15
  16. 16. Step 3: OTP Post Activation Response 2 1 OTP AAL2VerifyPassword© 2012 - VASCO® Data Security 16
  17. 17. Post Activation Device Binding Response 2 3 Serial Number + Derivation Code AAL2DeriveTokenBlobs 1 Platform Finger PrintCan also be done offline© 2012 - VASCO® Data Security 17
  18. 18. Full Picture© 2012 - VASCO® Data Security 18
  19. 19. DP4Mobile – Challenge/Response© 2012 - VASCO® Data Security
  20. 20. DP4Mobile - QR Challenge/Response© 2012 - VASCO® Data Security
  21. 21. Customization: Mobile Provisioning …© 2012 - VASCO® Data Security 21
  22. 22. Customization: Post Activation© 2012 - VASCO® Data Security 22
  23. 23. Customization: Mobile Settings© 2012 - VASCO® Data Security 23
  24. 24. Customization: Multilanguage  One XML file per language  CustomizationToolinputxml  Can also be used for #looks© 2012 - VASCO® Data Security 24
  25. 25. Test your Digipass for Mobile Already now, go get your DIGIPASS at: http://dp4mobile.demo.vasco.com/dp4mobile/© 2012 - VASCO® Data Security
  26. 26. DIGIPASS SDK: Software engine DIGIPASS SDK  J2ME (Java, BlackBerry)  iPhone OS (Objective C)  WindowsMobile 5.0+ / Windows Phone  Symbian OS (2nd to 5th editions)  Android Integration partners  Clear2pay, Monext, Lemonway  mFoundry  FundTech … Banking applications  HSBC  GarantiBank  Alfa-Bank © 2012 - VASCO® Data Security 26
  27. 27. DIGIPASS: The building blocks A Generated code Secret That changes DIGIPASS User Encryption Storage Time Event Challenge Interface Algorithm Parameters Secret Is Protected Encryption Algorithm Time Human Readable Truncation By VASCO© 2012 - VASCO® Data Security 27
  28. 28. The same concept on a different platform DIGIPASS DIGIPASS Communication Platform Interface X User User Encryption Encryption Storage User UserEncryption Storage Storage Interface Interface Algorithm Algorithm Parameters Interface Interface Algorithm Parameters Static Vector Secret Secret Dynamic Vector Core Time Shift Time Time DIGIPASS SDK Time Application By VASCO By VASCO© 2012 - VASCO® Data Security 28
  29. 29. Software DIGIPASS: Secure Platform© 2012 - VASCO® Data Security 29
  30. 30. Software DIGIPASS: Platform Scoring Jail broken? Infected? Location? Behavior?© 2012 - VASCO® Data Security 30
  31. 31. Software DIGIPASS: Application Security True Random Key generation Secure Key provisioning Application Signing & Obfuscation Slow Encryption Function Device Binding External Audit© 2012 - VASCO® Data Security 31
  32. 32. Software DIGIPASS: Native Integration© 2012 - VASCO® Data Security 32
  33. 33. DIGIPASS NANO: Secure Component© 2012 - VASCO® Data Security 33
  34. 34. Digipass Nano More Security More Convenience SIM Toolkitmenu Test your DPNANO sample at http://dpnano.demo.vasco.com© 2012 - VASCO® Data Security 34
  35. 35. Intel IPT: Integrated DIGIPASS in your PC© 2012 - VASCO® Data Security Federal Reserve Briefing 35
  36. 36. Intel IPT drivers  Hardware security level  Regular password logon experience  No shipping!  Central provisioning  Large penetration potential© 2012 - VASCO® Data Security 36
  37. 37. Digipass for Web + Intel IPT DP4Web applet: • Activation through VASCO • Generate OTP • Generate e-signature • Supported by all VASCO server solutions© 2012 - VASCO® Data Security 37
  38. 38. VASCO Server Side offering© 2012 - VASCO® Data Security 38
  39. 39. VASCO Identikey Server Single point of Authentication Custom web applications Hardware Citrix, OWA, etc. Software Smart VPN, SSLVPN, Firewall, etc. Cards© 2012 - VASCO® Data Security
  40. 40. Functional architecture Front-End Integration Customer Web Applications Web-based Administration Command • User & DIGIPASS Line TCL Administration • Reporting Apache Tomcat Webserver SOAP SEAL SOAP IIS Web Applications Back-End SEAL Authentication RADIUS RADIUS RADIUS Client LDAP via Windows API SEAL via Custom API ODBC LDAP/LDAPS Domain Login Active Directory Users & PostgreSQL AD Computers Database Directory© 2012 - VASCO® Data Security
  41. 41. Identikey Server features Authentication and e-signature validation Server  Strong authentication validation  Transaction data signing – e-Signature  DIGIPASS Family ready (including SMS) Policy based authentication  Different policy for each application  Automatic creation of users  Auto-assigning of the DIGIPASS to the User Easy to Integrate in your front-end application  RADIUS protocol (Authentication)  SOAP protocol – Web-services  SAML protocol – Federation authentication High-availability and scalability model  Load balancing (primary and backup servers)  DB availability control service© 2012 - VASCO® Data Security 41
  42. 42. Identikey Server features Centralized Web-based administration interface  DIGIPASS & User management  Domains & Organizational units  Policy management  Application management  System management Delegated administration  > 80 Different administrative priveleges Reporting capabilities  28 standard reports available  Custom reports Admin access can be protected by OTP System and performance monitoring capabilities Fully PCI-DSS compliant© 2012 - VASCO® Data Security 42
  43. 43. DIGIPASS Authentication for Windows Logon• DAWL features: • Offline authentication (up to 30 days) • Force OTP • Password Randomization • PSM – Password Synchronization Manager ` • DCR – Dynamic Client Registration • DNS reverse Lookup • Terminal Server authentication © 2012 - VASCO® Data Security
  44. 44. DAWL – Architecture + PSM Windows SEAL Windows LDAP ` SEAL-SSL© 2012 - VASCO® Data Security
  45. 45. What is DIGIPASS as a Service© 2012 - VASCO® Data Security
  46. 46. Supported Types of Authenticators© 2012 - VASCO® Data Security
  47. 47. API vs Web Interface© 2012 - VASCO® Data Security
  48. 48. Availability© 2012 - VASCO® Data Security
  49. 49. MYDIGIPASS.COM© 2012 - VASCO® Data Security 49
  50. 50. MDP: conceptFront-end End-user Website 1 2 3 Validation Validation okBack-end DIGIPASS as a Service© 2012 - VASCO® Data Security 50
  51. 51. MDP: Launch pad & Marketplace© 2012 - VASCO® Data Security 51
  52. 52. MDP: available today 3 types of DIGIPASS  Hardware DP GO6  Software Mobile DP  Software DP4Web with Intel IPT QR-code autologin © 2012 - VASCO® Data Security 52
  53. 53. DEMO Interval between 2 successive time List of valid time-based OTP’s units Additional digits List of valid counter-based OTP’s Speeds up verification of an OTP Generated by host Optional Randomly Used for first OTP validation Sent to user Time granularity Standard 32 seconds© 2012 - VASCO® Data Security
  54. 54. Thank You Alex Kuznetsov Technical Account Manager EE-CIS aku@vasco.com© 2012 - VASCO® Data Security
  55. 55. Copyright & Trademarks Copyright  2011 VASCO Data Security. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks VASCO®, VACMAN®, IDENTIKEY®, aXsGUARD®, DIGIPASS® and the ® logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an as is basis, without any other warranties, or conditions.© 2012 - VASCO® Data Security 55

×