Secure Web Access Solution

1

I.

C

II. INTRODUCTION ... 2

O

... 2

C

T

... 2

III. E-CODE SECURE WEB ACCESS SOLUTION ... 3

O

... 3

PKI

S

W

A

... 4

Description ... 4

Benefits ... 8

OTP

S

W

A

... 9

Description ... 9

Benefits ... 13

2

II.

I

This document provides detailed technical description for the secure web access solution by E-Code.

Overview

E-Code Secure web Access is a solution that makes web access is more secure and eliminates any chance for credential hacking. E-Code Secure Web Access provides extra security with two or Three Factors Authentication based on Public Key Infrastructure (PKI). Also, this solution involves another method that uses One Time Password (OTP). Unlike normal username/password credentials, PKI and OTP are more secure that no hacker can attack.

Copyrights and Trademarks

All of the content on this manual and accompanying software(including all text, graphics, sounds, demos, patches, hints and other files) is covered under KSA and international copyright and trademark laws by E-Code and other companies, and are property of E-Code , or are presented with permission and/or under license. This content may not be used for any commercial use without express written permission of E-Code , and possibly other copyright and trademark owners. All other trademarks and copyrights are the property of their respective owners.

3

III.

E-CODE

SECURE

W

A

S

Overview

Online transactions is an essential part of todays’ live, that every moment is entering new fields and applications. With the launch of the initiatives towards e-government and e-commerce, the demand to secure and reliable web access is very important .Some transactions are made for online payments and other for entertainment like games portals, which is less critical and sensitivity than financial transactions. Other actions such as logging to enterprise’ resources remotely are critical that a strict user identity must be proved.

Most web sites and web applications depend on user name and passwords authentication, which is not a secure way for authentication. User password may be hacked and stolen through many ways such as; keystroke loggers, or brute force attacks, or even from the server side. Another issue with username/password credentials that user will not recognize a hacker has stolen the password and is using them.

Another issue is that static username/password are cached in the web browser. This is extremely dangerous that hacker can attack the browser and retrieve these credentials or even another person can use them to login later from the same machine.

Web Server

User Hacker

Password Hacking

Masquerade attack is a common example of the hacker’s activities in web services/applications that represents the problem. Hacker attacks the user machine and stoles the username/password credentials. Now the hacker uses these credential to access the web server simultaneously or later after user logs out. Money steal or publishing illegal and harmful content on behalf user is what the hacker can do now.

E-Code Secure Web Access Solution provides a secure and reliable connection to websites and applications. Using hardware token (PKI/OTP) that holds the user’s credentials is the basic idea of the

4

solution. Hardware devices is secure and cannot be copied. Also, when the token is lost user can take action to suspend the service or account related to that token.

E-Code solution includes two alternatives: 1- PKI Based Secure Web Access. 2- OTP Based Secure Web Access

These alternatives are described below with details about modules, features, and benefits.

PKI Secure Web Access

Description

This solution is intended to provide a hardware authentication technique to web sites and web applications. In this solution, E-Code Smart Token is used to store the user certificate that will be the user credentials to access the website. The Secure Web Authentication uses SSL certificate installed on web server, and signed certificates installed on Smart token to establish a Secure Internet Connection between web browser and web site. In this case, the website uses https connection which is more secure a reliable than normal http connection.

Token

Token Web Server

SSL

Database Server

CA Server

Secure PKI Web Access Architecture

As shown in the above figure, each user can connect to the web server and access the website/web application if and if only the user has smart token connected to the PC. This smart token is a secure storage for the user certificate which is signed from the same web server issuer. The user who doesn’t hold the smart token or has a token with wrong certificate is unauthorized. The server identifies itself

5

to the callers through the SSL certificate. The SSL protocol requires user certificate from client side. These certificate will be verified at server side through integrity check and CRL validation.

The CA server is the responsible for issuing certificates to the smart token. This CA also may issue the SSL certificate for the web server.

Web Browser

Server Client Hello

Server Hello

HTTP Get Key Exchange

Data Transfer

HTTPS Connection Flow

The PKI based secure web access method uses different modules to complete the cycle of authentication. Initially, the website must have an SSL Certificate. Then the connection with the website will be changed to be https instead of normal http. The user must have a personal certificate issued and signed from the same issuer of the webserver SSL certificate. So that, a certificate authority system is an essential module of the system.

C

A

E-Code Certificate Authority (CA) is a desktop application that runs on all windows versions. All actions related to E-Code CA can be acquired through the application user interface. It requires no internet connection or any scripting experience to manage. E-Code CA user interface includes two main functionalities: CA operations and token management operations.

E-Code CA provides all the actions related to certificate authority: certificate issuance, certificate management (export, import), certificate revocation, and backup. E-Code CA is managed by one system administrator using one token containing root certificate. Users who do not have that token can only export public certificates of the users in the database. This increases the security of the system as only one person is authorized to make changes to the CA.

6

E-Code CA supports certificate issuance according to the X.509 standard. Also, issued certificates can have any (key & extended key) usages. Certificate issuance require that the token or smart card is connected to the CA machine. No remote issuance is supported that the CA system is simplified.

E-Code CA supports the certificate issuance hierarchy. This is done by issuing Root CA that issue subroots. These subroots will issue another subroots or personal certificates. This feature can be used to structure the enterprise in the certificate issuance process.

7

For secure web access, it is required to issue SSL certificate for the website/application. This is available using E-Code CA. Hence, personal certificate for the users and the web server certificate will be issued from E-Code CA.

W

S

I

Integration with website’s webserver to authenticate users using PKI certificate. E-Code integration is applicable for any web server that support SSL communication such as IIS and Apache. The integration work involves installing the SSL certificate on the server, trusting the root certificate at the server machine, modify the user authentication technique to use PKI certificates only. In cases, a developed code may be injected to force user login through certificates.

S

T

To have the complete solution secure without any weak point, the user’s personal certificate must be stored on a secure hardware device that is impossible to duplicate. Here comes the importance of the smart token module as it will be the user electronic identity. This token is protected with security PIN so that, only rightful owner can use. This PIN expires after number of wrong trials and token is locked. Thus, no worry about losing the token, as no one can use it except its owner.

E-Code Smart Token (eSign) is a security hardware device. It provides the digital signature and data encryption services. eSign is offered in three hardware models, basic, standard and biometric.

eSign provides digital certificate generation and management, electronic signing and verification, data encryption and decryption. All secure operations are completely provided by the internal device hardware.

eSign complies with security standards for digital signature and data encryption. It supports PKCS, CSP, X509, SSL and PS/SC standards. Compliance with security standards allows the automatic integration with many applications, for example email clients, internet browsers, computer login and different network access services.

eSign protected by two and three factor authentication. Beside mandatory password authentication, it uniquely supported with accurate and reliable fingerprint identification system. E-Code CA features can divided into two categories: CA features and Token management features.

8

Benefits

H

S

A number of security mechanisms are employed, helping significantly to eliminate the risk of fraud, attacks and misuse from unauthorized individuals and hackers.

The connection is the most secure internet connection SSL that guarantees at server and client sides required security level. Also, the user ID is stored on secure Hardware that cannot be duplicated. The hardware is protected by user PIN/Fingerprint to assure only the token owner will use it.

E

A

E-Code PKI solution for web access provides easy and simple method to control the access to the website using Certificate Revocation List (CRL). CRL enables the admin to prevent a user from access the server temporarily or permanently.

S

C

E-Code PKI web access solution supports and the X.509 standards and CRL standards version 3.0. Also, supports PKCS#11 standard for hardware security devices.

U

E-Code Secure Web Access Solution is easy to deploy and use with any website or any web application.

C

The PKI solution is compatible with all applications and environment that makes it suitable and easy to use for any case. The solution is compatible with web servers IIS and Apache. Also, the solution is compatible with Web Browsers Internet Explorer, Chrome, and Mozilla Firefox. The solution can be used with different Operating Systems as E-Code Smart Token is compatible with Windows (32/64 Bit) 2K, XP, 2003, Vista, 7, 8, 2008 and Linux (32 Bit).

9

OTP Secure Web Access

Description

One-Time Password Today is one of simplest and most popular forms of two-factor authentication for securing network access. For example, in large organizations and enterprises, a VPN or a website access often requires One-Time Password tokens for user authentication. One-Time Passwords are often preferred because an air-gap device does not require the installation of any client desktop software drivers on the user machine, and therefore allowing them to support multiple machines including home computers, kiosks, and personal digital assistants.

OTP RADIUS system provides solution for user authentication using the one time password OTP method with the back end system at the server side. It allows the end user to perform his authentication through one click/touch.

The user requests an access to a service, the system then sends an authentication request to the OTP server through the radius protocol. The OTP server responses with success or failure. Finally, the web application service permits the user to access it or prevents him.

Users Data Base or LDAP Server Smart Phone OTP Radius Server Internet 485687 874697 Load Balancer Tablet 454432

PC + Smart phone to generate OTP

PC + OTP Device to generate OTP

Operator Administrator

Firewall _{Web Server}

766230

The OTP RADIUS system contains different functional components with different administration interfaces. Each component can be managed separately through its interface.

On the other hand the system supports different operating systems, hence it supports end users who use multiple access devices. Like PCs, Laptops, Tablets and smart phones.

10

Radius Protocol

OTP Radius Server

End User OTP

(SW/HW Tokens)

Users DB or LDAP

Server

Web Application

Server

The system can be described as four entities:- 1. OTP RADIUS server.

2. OTP Client (OTP Generator).

3. Web application (Web application) NAS. 4. Users Database.

OTP

RADIUS

S

This module is the core component of the OTP RADIUS system, it provides high performance authentication processes via secure communication protocol, the Remote Authentication Dial-in User Service (RADIUS protocol).

The OTP server application receives users’ credentials, communicates with the Database/LDAP server to authenticate the user. And finally, it responds to the web server with accept or reject for the user access request.

11

The server receives the access-request packets from the web application server (Radius Client NAS), including the parameters of the user and recent generated OTP on his device/application.

The server checks the received information are they correct or not, using the users’ data base server applying an authentication scheme, like PAP and CHAP. It verifies the incoming OTP with the internally generated OTP. OTP generators in both server/client sides must have the same parameters and state. RADIUS protocol can be explained as following:

If the match succeeded, an Access-Accept packet is sent by the OTP server back to the web application server, which then permits the end user

access the web application.

If the match failed, an Access-Reject packet is sent back to the application server, which then unconditionally prevents the end user from accessing the web application.

Also, the OTP server may respond to the to the Request packet by an Access-Challenge Packet. This is done in more complex authentication dialogs, where a

secure session is opened between the OTP server and the end user in a manner that the sent credentials are being hidden from the web application server (Radius Client NAS).

U

One of the major components in the OTP RADIUS system is the storage system which holds the system users with their parameters. This storage can be a database or LDAP server. The database or the LDAP contains his username, recent OTP generated, seed number and another parameters related to him. The OTP RADIUS server can be integrated with different storages, either LDAP directories or SQL databases.

W

(R

C

)

The frontend for the OTP RADIUS system is the Website that the end user sees and interact directly. In the Radius environment it is called NAS (Network Access Servers). NAS acts as the only gateway to access the protected OTP server.

Radius protocol establishes any connection with only NAS. The Web application NAS connects to the OTP server, passing the credentials of a user. The OTP server then searches the user through its DB or LDAP server and notifies the NAS whether it grants the user to access its services or not.

12

OTP authentication is just sending username and password using appropriate protocol like CHAP and receiving the response. This requires change the default authentication mechanism of the application server to the OTP mechanism. Configuration should be applied to the application server to use OTP mechanism. This might require different code to be integrated with the application server. Web programming will be used to apply this configuration to construct secure communication with OTP server.

OTP

C

(OTP

G

)

OTP client is the two factor authentication module, which the client uses to generate the OTP required to access the service. The OTP generator can be either software token installed on any portable device, or hardware token with by the user that generates OTP only.

Hardware OTP Token

The above figure shows the Bio-OTP smart card generator. This card uses fingerprint authentication to recognize its owner. Then, after successful user fingerprint authentication, the OTP is generated on the card display.

Software OTP Token

OTP RADIUS system supports hardware and software tokens with different One-Time Password algorithms like TOTP, HOTP and MOTP.

13

HOTP: HMAC algorithm generates the OTP based on a static symmetric key and increasing counter value.

TOTP: Time based OTP algorithm uses the current time and a shared secret key to generate the OTP.

MOTP: Mobile-OTP algorithm is based on time synchronous one time passwords.

E-Code will provide software OTP Generator with the system. The software token will provide the different algorithms discussed before. It also will be two factor authentication solution.

The software OTP Generator token will provide the different algorithms discussed before. It also will be two-factor authentication solution. E-Code will provide its customized software token to be used on smart phone or any portable device. This software token will be two factor authentication based. User will enter the PIN that will generate OTP to be used for login.

E-Code OTP client generator also can be used with hardware OTP token. This hardware OTP token uses on board algorithm to generate OTP. This hardware token is synchronized with the server so that each OTP can be verified at the server.

Benefits

S

OTP RADIUS system allows the user information to be stored on one host, minimizing the risk of security loopholes. Two reasons cause this ultimate security. The first is the use of the OTP authentication technology. And the second is the strong secure communication between the system entities, which achieved by the Radius protocol. Hence two major security technologies are integrated together to produce the OTP Radius System. The solution solves the password caching problem.

E

One click/touch; one response. The user has no need to identify himself through multiple steps, just submit his username and OTP and make one click/touch, where the web application passes the submitted credentials and identities, return back with respond of Accept or Reject. The OTP solution requires no driver to be installed at the user side.

F

The web application server is not indeed the targeted NAS, because NAS is always can be any electronic device that have an interface with a computer. So, any device can use the OTP RADIUS server in users’ authentication.

Also, integration with different databases or LDAP directories is provided by the OTP RADIUS system.

14

The OTP server responses quickly to authentication requests received from applications servers.

H

The OTP server is more reliable for long term operation. MAINTAINABILITY

Using the available integrated QA tests to troubleshoot and maintain the OTP server components. Also, with existing testing applications to test the OTP server. Also, the ability to resynchronize token during authentication.

E

A

The solution does not require much skill or experience for the system admin. All administration actions are done easily through the backend interface.

C

OTP RADIUS server is OATH certified for both TOTP and HOTP tokens. Also, PSKC encrypted files are supported.

15

I.

A

BOUT

E-C

ODE

E-Code is a leading progressive, innovative company in the field of information security providing

technology, state of the art solutions, consulting, integration and testing services to safeguard the information assets, identities and the supporting infrastructure against unauthorized use. Our high quality service and excellent benefits and the ability of being reliable and responsible put us as a leader on the top of digital security companies.

E-Code provides unique products and solutions, which cover many security areas fulfilling customers need in different market sectors. We provide a set of products and solutions covering the following areas: software protection, data encryption, security hardware, digital signature, secure identification and authentication, secure online distribution of digital Contents.

We supports different market sectors like; governmental institutes, organizations, banks, software development companies, multimedia software and game producers, media and eBooks publishers and individual users.

Website www.e-code.com

Email info@e-code.com, support@e-code.com, sales@e-code.com

Telephone Fax Dongle Smart Token Fingerprint Smart Token Fingerprint OTP Token Smart Card Secure SD Card Fingerprint Smart OTP Card Secure Flash with Fingerprint