Successfully reported this slideshow.

TokenRide

806 views

Published on

TokenRide as an innovative e-commerce wallet service
for Business & Consumer customers
approachs One Time Passwords
or data flows is a new "per
customer" virtual wallet engine solution
with a lot of innovative features embedded
allowing its integration into a vast series of services.

Due to its "passive" nature for example..
could transform with no efforts and
no extra hardware, classical mails,
standard logons, etc..
adding a "One Time Password"
Logon and IDS features with low resource requirements
(great for oldest smartphones for example..) and
an innovative portable personal wallet.


TokenRide isn\\\\\\\'t properly a SSO solution
but a Just in Time & one way system (no crypthography)

that act as a sort of gear "pulsing"
in transactions with proper life though
in a non invasive way

let\\\\\\\'s imagine (and is only a little comparison ..)
playing with data as you play with the internals
of a clock .. gears ...or a rubik cube...


this is what makes the difference ...


My Personal Details are on my personal Xing / LinkedIn pages
and here (multi language website):

http://berardimichele.interfree.it


Michele Berardi
System Developer
+39 347 319 2000
http://berardimichele.interfree.it

  • Be the first to comment

  • Be the first to like this

TokenRide

  1. 1. TokenRide ® “guess factor authentication” (Commerce Wallet – Doc. Rev. 1F) © 2009 Berardi Michele Mobile: +39 347 319 2000 E-mail: [email_address]
  2. 2. One Time Passwords (Preface) <ul><li>The purpose of one time passwords (OTP) is to make it more difficult to gain unauthorized access to restricted resources, like a computer account. </li></ul><ul><li>Traditionally static passwords can more easily be accessed by an unauthorized intruder given enough attempts and time. By constantly altering the password, as is done with a one-time password, this risk can be greatly reduced. </li></ul><ul><li>There are basically three known types of one-time passwords : </li></ul><ul><li>- the first type uses a mathematical algorithm to generate a new password based on the previous </li></ul><ul><li>- a second type that is based on time synchronization between the authentication server and the client providing the password </li></ul><ul><li>- and a third type that is again using a mathematical algorithm, but the new password is based on a challenge (e.g. a random number chosen by the authentication server or transaction details) and a counter instead of being based on the previous password. </li></ul><ul><li>More often than not, one-time passwords are an embodiment of a two-factor 1 authentication solution. </li></ul><ul><li>Some single sign-on 2 solutions make use of one-time passwords. </li></ul><ul><li>One-time password technology is often used with a security token . </li></ul><ul><li>1 An authentication factor is a piece of information and process used to authenticate or verify a person's identity for security purposes. </li></ul><ul><li>Two-factor authentication (T-FA) is a system wherein two different factors are used to authenticate. Using two factors as opposed to one delivers a higher level of authentication assurance. </li></ul><ul><li>Using more than one factor is sometimes called strong authentication </li></ul><ul><li>2 Single sign-on ( SSO ) is a method of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again. Single sign-off is the reverse process whereby a single action of signing out terminates access to multiple software systems. </li></ul><ul><li>As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication. </li></ul>1 / 768,640,133,333,334 1 / 192,160,033,333,334 Guess of password 1 / 768,640,133,333,334 1/1 Observing an auth. One Time Passwords static “ big ” passwords attack scenarios Probabilities to steal passwords for the different attack scenarios to standard passwords and One Time Passwords authentications
  3. 3. “ Guess Factor” Authentication (Forewords) <ul><li>“ guess factor” authentication offers a smart approach to One Time Passwords Logon (or data flows..) , </li></ul><ul><li>lot of innovative features embedded , and smart integration into a waste range of services. </li></ul><ul><li>Due to his &quot;passive&quot; nature for example.. </li></ul><ul><li>could transform and preserve from stealing </li></ul><ul><li>with no efforts and no extra hardware , </li></ul><ul><li>classical mails, standard logons, data flows , </li></ul><ul><li>adding &quot;One Time Password&quot; flavour </li></ul><ul><li>and IDS features preserving system resources (great for oldest smartphones for example..). </li></ul><ul><li>The engine isn't properly a SSO solution (can be integrated if needed) </li></ul><ul><li>instead work as a Just in Time & one way system </li></ul><ul><li>(no crypthography involved) </li></ul><ul><li>offering some special features such &quot;otp tunneling&quot; ... </li></ul><ul><li>which act as a gear &quot;pulsing&quot; in transactions with proper life </li></ul><ul><li>though in a non invasive way! </li></ul><ul><li>the seed frequency and precision is scalable up </li></ul><ul><li>to milliseconds (good for military applications) .. </li></ul><ul><li>let's imagine (and is only a little comparison ..) </li></ul><ul><li>playing with data as you play with the internals of a clock .. gears ... or a rubik’s cube! This and much more makes the difference ... </li></ul>tunneling
  4. 4. TokenRide ® “Guess Factor” Wallet (Global Vision) <ul><li>TokenRide - Three Factor (guessing) - Authentication </li></ul>something you know something you have Validate User 1. username/password 2. PIN + GUESS OTP reuse (optional) <ul><li>Username </li></ul><ul><li>Password </li></ul><ul><li>PIN </li></ul>Reuse or integration with old devices is allowed! Server Tickle Code : This step is optional and is usefull for example in e-commerce transactions as it contains notes about seller and transaction talking the “language” of the specific “TokenRide Wallet”. Tickle Client <ul><li>- dynamic seed SPRNG (secure Pseudo Random Number Generator) </li></ul><ul><li>cold innest and expire check mechanisms </li></ul><ul><li>non uniform key size / dynamic key resize </li></ul><ul><li>- otp tunneling : integrate third party otp technology </li></ul><ul><li>as OTP generators or timecodes (data flow) , usefull into </li></ul><ul><li>(and could use also) cascade flow authentications . </li></ul><ul><li>multiplatform </li></ul><ul><li>hardware token emulation </li></ul><ul><li>- IDS : polymorphic ( vary alghorithm under attack ) </li></ul><ul><li>- per client (cold load!) standard and customized </li></ul><ul><li>non or cryptographic token exchange ,hashes and SPRNG. </li></ul><ul><li>- certitification authorities supported </li></ul><ul><li>- innovative one time username feature </li></ul><ul><li>(if used with Certification Authorities)! </li></ul><ul><li>- implicit/explicit timeout </li></ul><ul><li>- graphical otp ( captcha ) supported </li></ul><ul><li>- don't need databases & client/server sync </li></ul>User generates and mantain personalized algorithms . Different passwords (with no uniform size!) always granted. The client wallet runs virtually on any hardware and is upgradable ! something to guess TokenRide client wallet TokenRide server filter
  5. 5. “ Two Factor” and “Guess Factor” Authentication (Differences) <ul><li>Classical - Two Factor - Authentication </li></ul><ul><li>TokenRide - Three Factor (guessing) - Authentication </li></ul>something you know something you have Validate User 1. username/password 2. PIN + OTP <ul><li>Username </li></ul><ul><li>Password </li></ul><ul><li>PIN </li></ul>something you know something you have Validate User 1. username/password 2. PIN + GUESS OTP reuse (optional) <ul><li>Username </li></ul><ul><li>Password </li></ul><ul><li>PIN </li></ul>something to guess Server Server Tickle Code : This step is optional and is usefull for example in e-commerce transactions as it contain notes about seller and transaction talking the “language” of the specific “TokenRide Wallet”. Tickle Client Each Device generates a different password when needed (OTP) but its scheme is unique for all users & can’t be upgraded ! Client User generates and mantain personalized algorithms . Different passwords (with no uniform size!) always granted . The client Token runs virtually on any hardware and is upgradable ! Reuse or integration with old devices is allowed! TokenRide client filter TokenRide server filter
  6. 6. Why prefer TokenRide ® ? (Solution advantages) (examples) Yes. No. Reengineering , watching to home products also? Yes. No. E-commerce: Otp Service Center - generate and deploy “scratch tokens” to sellers / resellers ? Yes you can with the “otp tunneling” feature. With an appropriate configuration you can treat data flows instead of single passwords. No. Integrate or use tokens in a cascade flow with other OTP technologies or for purposes differents from password generation ? TokenRide key expire check isn’t implemented in the generation logic and no sync is needed between clients and servers. Some types of otp engines allow the use of old generated and unused otp , others implement a time sync and if new codes are generated soon one side effect is a desync between client token and server , mean that legal access are blocked too and human intervention is needed. Phishing , keylogging , induction to generate a certain amount of otp codes (fraudolent use) ? Migrate user data on new structures and generators “tunnels” , deploy the upgraded token to end users (rapid). No. Upgradable , multiple downloadables generators , non uniform key size , password wallet , intrusion detection ? “ guess factor” grant a unique “TokenRide Wallet” to each user and can be expanded with new algorithms , mean that if the token technology is reversed (hard to do!) , the system quickly generates / batch deploy new tokens with a totally different logic with or without the old user data. Find another one time password technology (expensive)! Reship new tokens to all users , quickly block existing code (block customer services)! Steal / Reverse Eng. technology or databases from main servers , solutions ? As simple as adding an https post / input box , send user otp (http post) to the engine and wait response Wrap and adapt to the choosen One Time Password protocol , build databases and servers or contract external services (another cost on the balance!) Integration , reuse of pre existents solutions ? generate and deploy a new random “TokenRide Wallet” only to affected users via secure channels (real time) Change one time password technology (expensive)! Reverse Engineering of some tokens ? generate and deploy a new random “TokenRide Wallet” only to the affected users (real time , rapid!) Don’t forget to block the old token soon! Wait and “downgrade” to old less secure static password access until admin ships a new token (slow)! If someone Steal an user token? TokenRide Wallet Classic One Time Passwords Scenarios
  7. 7. TokenRide ® (Keynotes & Requirements) (1/2) <ul><li>Multiplatform & easy integration: </li></ul><ul><ul><li>Consider “guess factor” as an algorithmical logic flow proposal, </li></ul></ul><ul><ul><li>no special requirements or dependencies are needed. </li></ul></ul><ul><ul><li>The entire logic is Integrable with no efforts into webservers, phones, etc.. </li></ul></ul><ul><li>Could emulate Hardware Tokens. </li></ul><ul><li>Unicode Support for Natural Languages Tokens: </li></ul><ul><ul><li>Thanks to the UNICODE support and specific algorithm the engine </li></ul></ul><ul><ul><li>could generate words or phrases in virtually any known idioms instead </li></ul></ul><ul><ul><li>of simple numbers. </li></ul></ul><ul><li>Web or Desktop : </li></ul><ul><ul><li>Implement a web or desktop interface or could transform any usb device </li></ul></ul><ul><ul><li>(U3 support included) into “TokenRide Wallets”. </li></ul></ul><ul><li>Otp tunneling : </li></ul><ul><ul><li>integrate third party otp technology as OTP generators or timecodes (data flow) </li></ul></ul><ul><ul><li>and use it in a cascade flowauthentication. </li></ul></ul><ul><li>Optional otp screen saver (wifi / bluetooth control). </li></ul><ul><li>Don't need database & client/server syncronization </li></ul><ul><li>(Offline [out of sync] otp generation always granted): </li></ul><ul><ul><li>(in the same instant, clients and servers generate the same code but no hash sharing occurs ... avoid cryptographic collisions attacks!). </li></ul></ul><ul><li>Fingerprint readers integration. </li></ul><ul><li>Graphical CAPTCHA ( C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part) otp supported. </li></ul>
  8. 8. TokenRide ® (Keynotes & Requirements) (2/2) <ul><li>Dynamic seed - SPRNG : </li></ul><ul><ul><li>(secure Pseudo Random Number Generator) cold otp innest </li></ul></ul><ul><ul><li>(expire check mechanisms allowed also). </li></ul></ul><ul><li>Non uniform key size <-> dynamic resize . </li></ul><ul><li>Intrusion Detection : </li></ul><ul><ul><li>Polymorphic (vary alghorithm under attack) </li></ul></ul><ul><li>Cold Load: </li></ul><ul><ul><li>Per client (cold load!) standard and customized non or cryptographic </li></ul></ul><ul><ul><li>tokens , hashes and seed randomizers. </li></ul></ul><ul><li>Certitification authorities supported. </li></ul><ul><li>Innovative one time username feature. </li></ul><ul><ul><li>(if used with Certification Authorities)! </li></ul></ul><ul><li>implicit/explicit otp timeout. </li></ul><ul><li>Code frequency , precision , seeding and validation scalable up to milliseconds . </li></ul><ul><li>Live demos for different well known systems: </li></ul><ul><ul><li>AS/400 , SAP, Openvpn … </li></ul></ul><ul><li>Mers “Memorable Random Strings” supported. </li></ul><ul><li>Optional desktop widgets . </li></ul><ul><li>and much more interesting features … </li></ul>

×