Spectral Radius, Numerical Radius and Unitarily Invariant ...
Tom Selhorst ‒t.selhorst@swivelsecure - Infopoint Security · Swivel Secure ‒The Company ......
119
Tokenless Two-Factor and Multi Factor Authentication Tom Selhorst ‒ [email protected]
Transcript of Tom Selhorst ‒t.selhorst@swivelsecure - Infopoint Security · Swivel Secure ‒The Company ......
Swivel Secure ‒ The CompanyAuthentication TechnologiesHow PINsafe WorksTechnology OverviewData SourcesData StoragePeeringSecurity String DeliverySummary of Key PointsChangePINIntegrationIntegration Examples
Agenda
Swivel Secure Ltd…
…company background
Established 2000 in UKA member of the Marr GroupWorldwide patented technologySwivel PINsafe Product launched Q3 2003Worldwide distribution networkOffices: -
UK, USA, China, AustraliaChannel: -
USA, Europe, China, Australia, Singapore, Malaysia, South America
Company Background
Multi-factor Authentication…
…explained
1st Factor► Something you know – PIN or Password
2nd Factor► Something you have – a token; mobile phone
Two-factor Authentication…
3rd Factor► Something you are – biometric (retina scan / fingerprint)
4th Factor► Something you use – the device through which you are authenticating
And Three- and Four-factor
‘Token-less’ multi factor authentication technologyUse something the user already has……. a mobile device/browserStronger security than simple OTC password solutionsNever enter the PIN into the keyboardIntegrate with most existing remote access productsEasy to deploy
What is PINsafe?
PINsafe Protocol
Variable length PIN issued to each user► 4 – 10 digits
Randomly generated 10-digit security string► Delivered to a mobile device or browser
A new one-time code (OTC) for each authentication attempt► Cannot be re-used if intercepted
PIN
Swivel Protocol
2 4 6 8 Stays the same
2 4 6 8
5 1 7 3 9 2 0 6 4 8SecurityString
Swivel Protocol
PIN
Changes for every authentication attempt
2 4 6 8
1 2 3 4 5 6 7 8 9 0| | | | | | | | | | 5 1 7 3 9 2 0 6 4 8
SecurityString
Swivel Protocol
PIN
Placeholder for ease of use
22 4 6 8
5 11 7 3 9 2 0 6 4 8
11
Swivel Protocol
PIN
SecurityString
OTC
2 44 6 8
5 1 7 33 9 2 0 6 4 8
1 33
Swivel Protocol
PIN
SecurityString
OTC
2 4 66 8
5 1 7 3 9 22 0 6 4 8
1 3 22
Swivel Protocol
PIN
OTC
SecurityString
2 4 6 88
5 1 7 3 9 2 0 66 4 8
1 3 2 66
Swivel Protocol
PIN
SecurityString
OTC
OTC 1 3 2 61 3 2 6
2 4 6 8
5 1 7 3 9 2 0 6 4 8
Swivel Protocol
PIN
SecurityString
OTC 951372951372
951372
PINless Option
SecurityString
Installation…
& Configuration
Authentication appliance HA option on applianceor software only
Installation & Configuration
Technology Overview
Swivel PINsafe Server
J2EE Based ApplicationUses J2EE Container (Apache Tomcat v5)Distributed as a .war fileRequires Java JRE, J2EE container Requires Java Comm API if using GSM MODEM optionAuthentication via internal API or RADIUS► Internal API – XML over HTTP► RADIUS – supports PAP & CHAP, MSCHAP, MSCHAP v2
login
Channel I Channel II
SecuritySecurity StringString OTCOTC
What is Dual Channel?
Active Directory
Solution Integration ‒ User Authentication from Active Directory
User SSL VPN
PINsafeServer
Data Source e.g. ActiveDirectory
Dual Channel
RADIUSor XML
Single Channel
User Login
Data StoreInternal or
External
pinsafe.war
J2EE applications are distributed as Web Application Archive (WAR) fileInstallation consists of copying the pinsafe.war file into the Tomcat\webapps directory Automatically deployed when Tomcat starts
Installation
Select OS of ChoiceInstall Java JRE 1.5Install Apache Tomcat 5.5Install PINsafe
Data Source
Internal Data Source
Internal - data is entered into PINsafe console usable ‘out of the box’► Username, Email address, Mobile Number
PINsafe Server
Database(Store)
Source
External Data Source
External Data source► Username, Email address, Mobile Number► AD/LDAP group determines transport mechanisms► Quick and easy
External Repository
(eg AD)
PINsafe ServerSource
Database(Store)
External Data Source
multiple Data sources
External Repository(eg AD 1)
PINsafe Server
Database(Store)
Source
Source
Source
External Repository(eg AD 2)
External Repository(eg LDAP)
Source
User repositoryXML ► Internal repository► Managed Via PINsafe
Active Directory► LDAP Sync► Manage Users by adding them to AD Groups
LDAP► LDAP Sync► Manage Users by adding them to LDAP Groups
Other Database► Dependant upon database schema
Active Directory
Configuring the AD ‒ Creating Groups
► Requires Account – Must be UPN [email protected]► Groups must be fully distinguished names
CN=PINsafeUsers,OU=Swivel,DC=Swivelsecure,DC=com► Minimise AD work by making required groups of other groups
Admin work is done on AD server by adding users to the remote access group.
Active Directory
Configuring the PINsafe Groups ‒ Setting the Repository
Active Directory
ConfiguringAD settings
Active Directory
Configuring the PINsafe Groups ‒ Mapping to AD Groups
Active Directory
Configuring the PINsafe Groups ‒ Creating Transport Groups
Where Security Strings are sent
Where Alerts are sent
Active Directory
Configuring the PINsafe Groups ‒ Syncing the AD database
Data Storage
Internal Data Store
Internal Database for use ‘out of the box’
External Repository
(eg AD)
PINsafe ServerSource
InternalDatabase
(Store)
External Data Store
External Database can be specified
External Repository
(eg AD)
PINsafe ServerSource
In/External Store
(eg MS SQL)Database
External Data Store
External Database types available:► MS SQL► MySQL 5► JDBC► Oracle 10g► PosgreSQL 7.4
External Data StoreActive-Active HA solutionOne PINsafe server is master, others are slavesLoad balanced authentication devices can connect to different PINsafe servers
External Repository
(eg AD)
Clustered External Data Store(eg JDBC)
PINsafe Server
#2Source
PINsafe Server
#1
VPNServer
#1
VPNServer
#2
Configuration
Multiple Data Sources and External Data Store
PINsafe allows multiple data sources and the capability to have an external data store
ActiveDirectory 1
PINsafe ServerSource
SourceActiveDirectory 2
LDAPSource Source
DatabaseExternal
Database(Store)
ExternalDatabase
(Store)
ExternalDatabase
(Store)
Clustered for resilience
Built inInternal XML Data Source
PINsafe Server
PINsafe Server
PINsafe Server
External Data Store
Appliance Clustering
ExternalDatabase
(Store)
ExternalDatabase
(Store)
ExternalDatabase
(Store)
Clustered for resilience
External Data Store
Active-Active configurationOne PINsafe server is master, others are slaves
External Repository
(eg AD)
External Store
(eg JDBC)
PINsafe Server
#2Source
PINsafe Server
#1
VPNServer
#1
VPNServer
#2External Repository
(eg AD)
External Repository(eg LDAP)
Source
Source
PINsafe Peering Capability
PINsafe Peering
Authentication against other PINsafe servers
PINsafe Peering
Peering Configuration► RADIUS► XML
Security String Delivery
PINsafe Authentication
Dual Channel ‒ Security String Supplied by second method► Increases Security combined with PIN extraction► Relatively easy to implement using RADIUS
Single Channel ‒ Security String Supplied in same method as authentication channel► Stronger than a password► Weaker than dual channel► Harder to implement as security string must be presented to user
Positive ID► Can be used in combination with single and dual channel► Verifies PC is also authenticated to connect► Enhances Security
PINsafe Dual Channel and Single Channel
Dual Channel ‒ How the user receives their string► SMS by GSM► SMS by SMS Gateway► Swivlet – Security string by GPRS
Single Channel ‒ How the user receives their string► Modified Login screen► Separate Web Page► String in Active Desktop► PINsafe Taskbar utility
The mobile phone as a token:► Select inbox from phone message menu► Select Swivel Message► Retrieve one-time code and type into browser
Dual Channel - SMS
Dual channel increases protection of credential from spywareSecurity string sent via GSM, CDMA/TDMA, SMTP or GPRS networkManually extracted OTC returned via second channel
First Security String delivered as an SMS message upon user registrationSMS refresh (override) after each authentication attemptDevice neutralNo mobile service necessary at end point during authenticationSMS notification if someone trying to logon as user
PINsafe – SMS
Automatic OTC extraction from keyboard input99 security stringsRegistration and OTC top up through GPRS connection
Swivlet - J2ME MIDlet
Swivlet - J2ME MIDlet
Page Title Arial 24pts Bold
Select ‘Login’from menu Select ‘Get One Time Code’ and enter PIN Retrieve one-time code & type into
browser
PositiveID has been integrated with PINsafe
PositiveID is a third party tool that enables the creation of a unique digital fingerprint for a device such as a PC, laptop or PDA and its use for authentication purposes
Using PositiveID it is possible to restrict users to specific PCs or laptops etc
Can register several devices
Up to 15 different groups of parameters make up the profile
PositiveID
PositiveID
Single ChannelUnique user interface (BUTTon, TURing & PATTern)► Single Channel API► Randomly generated GIF► Irregular font and patterned backgrounds ► Immune from OCR software► PIN is never typed during authentication process
PINsafe Single Channel Configurations
Modified Login Screens:
PINsafe Single Channel Configurations
Providing a separate web page (Web Portal?)
PINsafe Single Channel Configurations
Systray Utility
PINsafe Single Channel Configurations
Active Desktop
PINsafe Microsoft ISA Server or Outlook WebAccess Server
Summary of Key Points
What is the user data source (AD, LDAP?)What is the authentication device (SSL VPN, ISA, IAG, website?)Where is the data (PIN numbers etc) to be stored (Internally in PINsafe or Externally in a database?)How are the PIN numbers to be delivered to users (SMS, email?)How are security strings to be delivered to users (SMS, Email, Turing, Swivlet?)Software or Appliance install?HA Active/Passive or Active/Active
Key Points
ChangePIN
ChangePIN
To allow a method for the user to change their PINConfigure the PINsafe server
► Allow Single Channel AccessOn the PINsafe Manager server/Single Channel set
► Allow session request by username: to YESOn the PINsafe Manager server/Agents Enter a Hostname or IP address for the ChangePIN server and a shared secret
► On the ChangePIN server install the ChangePIN utilityCopy changepin.war to C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps
► On the ChangePIN server edit the config file to include the PINsafe server and shared secret
ChangePIN
Configure the ChangePIN server
► On the ChangePIN server install the ChangePIN utilityCopy changepin.war to C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps
► On the ChangePIN server edit the config file to include the PINsafe server and shared secret
Edit C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\changepin\WEB-INF\server.xmlPINsafe server IP <entry key="server">127.0.0.1</entry>Shared Secret Key <entry key="secret">secret</entry>
ChangePIN
Browse to the ChangePIN address► http://127.0.0.1:8080/changepin► Enter your username and click Start Session
Remember Never Enter your PIN
ChangePIN
Enter your OTC, and new PIN using a OTC► Example: if you want your new PIN to be 4925 enter 8451
ChangePIN
Success or Failure?
Integration
Integration
Integration is the method of connecting the PINsafe server with the resource to be protected, for example websites, VPNs, firewalls and applications.
Currently supports two methods of integration► RADIUS
NAS (network Access Server)► PINSafe AgentXML API
Agents
RADIUS
PINsafe acts as a RADIUS serverSupports PAP and CHAP, MSCHAP and MSCHAP v2, LEAP, MD5Authorisation port 1812 (configurable)Accounting port 1813 (configurable)Very easy to configureSupports both dual and single channelNAS devices by PINsafe group
RADIUS
Setting UpRADIUS onPINsafe-options
RADIUS
Setting Up RADIUS on PINsafe ‒ IP Address and shared Secret
PINsafe Agent XML API
The Agent XML Interface is designed to permit Swivel Agents to communicate with the PINsafe via XML messages sent over HTTP.
Swivel Agents typically sit in front of network resources such as Web Sites etc. and control access to those resources
An XML request is sent to PINsafe via an HTTP GET or HTTP POST and PINsafe will respond with XML.
Integration Examples
Integration
Integrating PINsafe with various Solutions
XML API Sample configurations► IIS server with an ISAPI filter► ISA server OWA with an ISA Forms based filter► Citrix Presentation Sever 4
RADIUS Sample Configurations► Juniper VPN► F5 Firepass VPN
Integration ‒ Microsoft IIS Web Server
Microsoft Internet Information Services Web Server
XML API Sample configuration
To allow stronger authentication for access to web pages
Allow authentication to Outlook Web Access
Integration ‒ Microsoft IIS Web Server
Configure the Agent: Enter the IIS server Information
Integration ‒ Microsoft IIS Web Server
Configure the Agent: Allow Single Channel Access?
Integration ‒ Microsoft IIS Web Server
Configure the IIS serverRun the PINsafeIISFilter.msi installerAdd the ISAPI filter
Integration ‒ Microsoft IIS Web Server
Configure the IIS serverEdit the config file
<!-- The IP address or hostname of the PINsafe server, which must be visible to IIS server --><add key="PINsafe_Server" value="127.0.0.1" />
<!-- The shared secret between this agent and the PINsafe server --><add key="PINsafe_Secret" value="secret" />
Integration ‒ Microsoft IIS Web Server
Configure the IIS serverRestart the World Wide Web Publishing ServiceLogin
Integration - Microsoft Outlook Web Access using ISA
Microsoft Outlook Web Access using ISA Server
XML API Sample configuration
Allow Access to Outlook Web Access
Integration - Microsoft Outlook Web Access using ISA
Configure the PINsafe Server ‒ Enter a PINsafe agent
Integration - Microsoft Outlook Web Access using ISA
Configure the PINsafe Server ‒ Allow Single Channel Access?
Integration - Microsoft Outlook Web Access using ISA
Microsoft ISA server ‒ Configure the ISA serverRun the PINsafeISAFilter.msi to create a filter
Integration - Microsoft Outlook Web Access using ISA
Microsoft ISA server ‒ Configure the ISA server
Import the settings from PINsafeISAFilter.reg into the registry Create an access rule permitting HTTP access from the ISA Server to the correct
port (8080) on the PINsafe server.Copy the customised versions of logon_MSIERich.htm and
logon_NotMSIERich.htm to C:\Program Files\Microsoft ISA Server\CookieAuthTemplates directory.
Restart ISA server
Integration - Microsoft Outlook Web Access using ISA
Integration - Microsoft Outlook Web Access using ISA
Microsoft ISA server ‒ Test the server
Test logon by connecting with PINsafe One Time Code either from Dual Channel or Single Channel and Exchange credentials.
Integration ‒ Citrix Presentation Server 4
Citrix Presentation Server 4
XML API Sample configuration
Stronger authentication
Integration ‒ Citrix Presentation Server 4
Configure the Agent: Enter the Citrix server Information
Integration ‒ Citrix Presentation Server 4
Configure the PINsafe Server ‒ Allow Single Channel Access?
Integration ‒ Citrix Presentation Server 4
Configure the Citrix Server ‒ Copying end Editing the files
Copy PINsafeClient.dll to /bin.Copy login.aspx and pinsafe_image.aspx to /auth.Copy login.js to /auth/clientscripts.Copy loginButtons.inc and loginMainForm.inc to /auth/include.Copy loginView.cs and login.cs to /auth/serverscripts.
Edit /web.config. Add /auth/pinsafe_image.aspx to the comma separated list of URLs under the <appSettings> key AUTH:UNPROTECTED_URLS.
Copy the additional keys from web.config.PINsafe into the <appSettings> section. Adjust the key values to reflect your PINsafe installation.
Integration ‒ Citrix Presentation Server 4
Configure the Citrix Server ‒ testing the server
Login with the Citrix username and password and the One Time Code, obtained by dual or single channel.
Integration ‒ Juniper VPN
Juniper VPN
RADIUS Sample configurationTo allow stronger authentication for VPN login
Integration ‒Juniper VPN
Configure the Juniper VPN- RADIUSConfig
Integration ‒ Juniper VPN
Juniper VPN ‒ Define a Sign in Policy
Integration ‒ Juniper VPN
Juniper VPN ‒ Define an Authentication Realm
Integration ‒ Juniper VPN
Juniper VPN ‒ Define basic Role Mappings
Integration ‒Juniper VPN
Configure the PINsafeServer- RADIUSConfig
Integration ‒ Juniper VPNConfigure the PINsafe Server - RADIUS Config
Integration ‒ Juniper VPN
Juniper VPN
Users will now be able to login using dual ChannelTo allow single cannel login there are several options:► Edit Front Page to present the TURING Image► Provide a separate Web Page with TURING Image► Configure Active Desktop to present a TURING Image► Use the Swivel Taskbar Utility
Integration ‒ Juniper VPN
Juniper VPN ‒ Create a Custom Sign in Page for Single Channel
Integration ‒ Juniper VPN
Juniper VPN ‒ Define basic Role Mappings
Modify LoginPage.thtml adding where Turing image is to appear:► <SCRIPT src="pinsafe.js"></SCRIPT>
Edit pinsafe.js and upload
//This identifies which <TD> contains the password prompt.var PasswordPromptTD = 10;
//Prompt wording...var sOTCPrompt = "Enter your OTC:";
//URL for images from the PINsafe server, replace ‘PINsafe_IP_Address’ with PINsafe IP....var sUrl="http://PINsafe_IP_Address:8080/pinsafe/SCImage?username=";
//Names of the username and password texboxes in the page that's calling this script...//(On Aventail these are data_0 and data_1; on Netscreen they are username and password)
var sNameOfUsernameText = "username";var sNameOfPasswordText = "password";
Integration ‒ Juniper VPN
Juniper VPN ‒ Testing
After uploading test by authenticating using single or dual channel.The edited login page should look as below;
Integration F5 Firepass VPN
F5 Firepass
RADIUS Sample ConfigurationTo Allow Users Stronger VPN Authentication
Integration F5 Firepass VPN
Network Diagram
Integration ‒F5 Firepass
Configure the PINsafeServer- RADIUSConfig
Integration ‒ F5 FirepassConfigure the PINsafe Server - RADIUS Config
Integration F5 Firepass VPN
ConfigureThe F5Firepass- RADIUSConfig
Integration F5 Firepass VPN
F5 Firepass
Users will now be able to login using dual ChannelTo allow single cannel login there are several options:► Edit Front Page to present the TURING Image► Provide a separate Web Page with TURING Image► Configure Active Desktop to present a TURING Image► Use the Swivel Taskbar Utility
Integration F5 Firepass VPN
F5 Firepass ‒ Configuring the login Page for Single Channel
Create an HTTP web service on the Device Management : Configuration : Network Configuration : Web Services screen
Select the Allow insecure access option on the Device Management : Security : User Access Security screen
Check Allow WebDAV sandbox customization on the Device Management : Customization screen and enter a WebDAV password in the text box that appears.
Integration F5 Firepass VPNF5 Firepass ‒ Configuring the login Page for Single Channel
<script language="JavaScript"><!--var bExists = (document.getElementsByName("username") != null);function ShowTuring() {if (bExists) {sUser=document.getElementsByName("username")[0].value;if (sUser=="") {alert ("Please enter your username first!");document.getElementsByName("username")[0].focus()}else{sUrl="http://192.168.0.150:8080/pinsafe/SCImage?UserName=";varImg = document.getElementById("imgTuring");varImg.src = sUrl + sUser;varImg.style.visibility = "visible";
document.getElementsByName("username")[0].focus()}}}--></script><input name="btnTuring" type="button" value="OTC Image" class="submitbutton" onclick="ShowTuring()" /><img name="imgTuring" style="visibility:hidden;" alt="Turing image" />
Integration F5 Firepass VPNF5 Firepass ‒ Configuring the login Page for Single Channel
Script runs in a sandbox and produces the following;
Thank you for your time…
