Cryptographic Security Token
Executive Summary
Using static password to sign into online accounts of high importance may not provide adequate protection. Using secure connection HTTPS does not guarantee
total protection either. Foreign governments are now investing into supercomputers and sometimes manage to redirect internet trafic through their networks.
We can only speculate what they do with the data. Network communication can be saved for later analysis and even HTTPS can be broken when given time and resources,
therefore static passwords used for authentication may become compromised. Another type of attack can be data leaks through security holes or
leaks from inside the company providing online service (administrators/programmers stealing data).
How can we better protect our bank accounts, brokerage accounts, retirement funds and
even online shopping accounts and social networks?
The best protection can provide only dynamic authentication, where sign-in information changes for every online session.
Guarded Key password manager introduces Cryptographic Security Token as the most secure form of authentication.
Guarded Key cryptographic security token is the latest client/server authentication technology.
Security token is a dynamically generated hexadecimal string which is created by highly secure encryption algorithm using 4096-bit key and 8 layers of encryption,
where each layer uses different encryption standard (AES, 3DES, Blowfish, Twofish). It contains authentication information and timestamp.
New security token is generated every second and a unique token is used for each sign in (each online session).
This method replaces use of static password, therefore prevents security breaches
caused by data leaks from inside your company/organization and defeats HTTPS cryptoanalysis, because any token used by client,
becomes immediately invalid and cannot be used for further successful authentication.
Typical online services which could take advantage of Cryptographic Security Token
-
Banks and other financial institutions - authentication into online banking services
-
Brokerage and foreign exchange firms - authentication into online trading services
-
Online payment services - authentication into electronic payment services
-
Online stores - authentication into online shopping websites
-
Multimedia services - authentication into websites providing multimedia for playback/download
-
Social networks - authentication into social networks, messaging systems, webmail, photo sharing sites etc.
Benefits of Guarded Key security token
-
Dynamic authentication - new unique security token is generated every second (unlike other products, which generate new token in larger intervals).
If user accidentally closes web browser or logs out and needs to login back again,
it is possible to log in immediatelly, because of frequent generation of new security tokens.
Possibility of frequently generate new tokens also allows immediate authentication of one user/client from multiple computers.
-
Timestamp validation - provides validation of the security token with respect to current time. Server implementation authorizes user access
if the token timestamp is within time range defined by company policy. If unauthorized user tries to sign in using old security token obtained by hacking into the system,
by HTTPS cryptoanalysis or by other means, the user is not granted access into the system. Not only that, this feature can also be used for logging of invalid authentication,
notification of the account owner and your security team. Because of possible difference in system time between client and server (especially true for mobile devices),
company policy must define time range within which security tokens are accepted as valid (for example +/- 10 seconds).
-
Self service - Guarded Key architecture and implementation provides benifits in low cost of maintenance and client servicing,
because clients are able to setup their authentication online. Guarded Key security token requires client's Certificate + Password or client's Certificate + RSA Signature (RSA private key).
Guarded Key password manager provides feature, which allows users to generate their Certificate/RSA Signature with one-click. User only needs password for initial sign in,
then generates Certificate or Certificate + RSA Signature and finally uploads Certificate to the server (not RSA Signature, user must keep it secret). After first successful sign in, the password is disabled and
user will start using only security token for all authentication requests. Password could also stay active (depending on company policy), but the point is that from now on only dynamically generated token is used for everyday sign-in and
only token is exposed to the internet, while static password will never be transmitted over the network again. User can be notified to update Certificate after certain period of time (for example 5 years).
-
Zero client maintenance - client side authentication can be handled by
Guarded Key password manager.
The main advantage is providing users with a great tool to maintain all their online accounts,
with modern user interface utilizing touch screen for fast access to all accounts and one-click sign in, plus many other features.
Instead of developing your own client application, which may or may not be accepted by users, give them Guarded Key.
Guarded Key password manager is ready for deployment and available for multiple platforms.
Your company does not have to worry about development and maintenance of a standalone client authentication mechanism.
-
Low price of implementation - security token can be implemented on the server side in a few weeks and fully tested in a few months.
Implementation of this technology for online banking of a large bank with 100 million clients could take 3 months and
cost around $1 million in internal resources (as we provide the technology including the source code free of charge).
That brings the price of implementation of technology, which can be used for the next 20 years, down to 1ยข/client.
-
Easy update - unlike hardware solutions with special encryption chips, which require expensive shipping or centrilized distribution of encryption keys,
Guarded Key server can be easily deployed and Guarded Key client (password manager) simply downloaded by users.
This lowers cost of updates significantly. Hardware solution is sometimes considered more secure, but unjustly.
In fact software solution can be even stronger, because of very fast pace at which stronger encryption can be deployed. As an example serves 128-bit AES encryption used in USB drives with hardware encryption.
Guarded Key provides 4096-bit encryption and 8 layers of different encryption standards. If one encryption standard is found weak or even broken, there are several other enryption layers protecting security token from being decoded and exploited.
-
Public relations - fast implementation of the most secure authentication technology can make your company/organization more visible,
provide good feedback from existing clients and bring new clients who gain trust in high security standards of your online services.
Implementation
Cryptographic Security Token implementation consists of two parts - Guarded Key server and Guarded Key client.
Guarded Key client is the best password manager on the market. Password manager allows users to maintain all online identities in an encrypted database and
define for each account password and settings for Cryptographic Security Token.
Guarded Key server provides interfaces for processing client authentication requests: decryption and validation of security token generated by the client. Your website must be designed to accept User ID and Security Token.
A new login page can be created and used along side the old login page to allow for smooth transfer of existing users to the new authentication technology.
Guarded Key security token can be generated using one of two methods:
Certificate + Password
Guarded Key creates authentication message consisting of timestamp and password. Authentication message is then encrypted
using 4096-bit key, called "Certificate", and 8 layers of encryption consisting of AES, 3DES, Blowfish, Twofish and
this process creates ciphertext, called "Security Token", which is unique for each timestamp (never repeats).
Security Token is then enetered on login page of the online provider along with User Id.
Security token is decrypted on server side, and password and timestamp is evaluated.
Password is not stored on the server, but hash should be used instead to prevent exposure of passwords to employees inside your organization (nobody needs to know clients' passwords).
Steps
1. Setup
- Client will generate Certificate and uploads via web site of the provider to the server.
Second option is generating Certificate on the server, client can copy & paste the string from the website into the appropriate text box of Guarded Key password manager.
2. Sign In
- User clicks "Generate and Copy" button or "Sign In" button. Guarded Key security token generator creates authentication message consisting of timestamp and password.
This authentication message is then encrypted using the Certificate in order to create unique Security Token, which is then used for signing in on the web site of the provider.
Authentication message:
2011-06-14T20:46:38;HU7jk*LKM0nd
Security Token:
EC80988704DECD3B 33B4636FF0AC2E3A 4DA26585D7FDA708 BE403B7536DC9CF2 DB3B09C15DAC0808
FEABA5A6062F88F4 79FBF572EB234667 94CC99C8A733C65B 4D908B747CD7E4C8 95E4AE0F38955488
36BA542EF67F4C7F 78D8E7ECDF8FD1E1
3. Server authentication
- Server receives security token and uses client Certificate to decipher the authentication message. Timestamp is then evaluated against company's rules and accepted or rejected.
When valid timestamp is accepted, server generates hash for the passowrd extracted from authentication message. Hash sequence is compared to hash value in the database and
if it matches, user is granted access into the system.
Certificate + RSA Signature
Timestamp is signed by RSA Signature (RSA private key known only to user) and this process creates ciphertext, which is unique for each timestamp (never repeats).
Timestamp and ciphertext forms authentication message, which is encrypted
using 4096-bit key, called "Certificate", and 8 layers of encryption consisting of AES, 3DES, Blowfish, Twofish.
This new ciphertext, called "Security Token", is then enetered on login page of the online provider along with User Id.
Security token is decrypted on server side, and timestamp and RSA Signature is evaluated by RSA public key.
Only owner of RSA Signature (private key) is able to create valid security token.
This process completely eliminates use of Password. Password can be used for initial exchange of certificate and RSA keys, and then can be disabled
(this procedure is useful when transfering existing users to the new authentication mechanism).
Steps
1. Setup
- Client will generate Certificate and RSA Signature, and uploads Certificate via web site of the provider to the server.
RSA Signature (RSA private key) is kept secret and only user holds it's copy.
Part of the Certificate serves as RSA public key to verify signature generated by RSA private key.
Second option is generating Certificate and RSA Signature on the server, client can copy & paste both strings from the website into the appropriate text box of Guarded Key password manager.
2. Sign In
- User clicks "Generate and Copy" button or "Sign In" button. Guarded Key security token generator creates authentication message consisting of timestamp and uses RSA Signature (private key) to sign authentication message.
This authentication message is then encrypted using the Certificate in order to create unique Security Token, which is then used for signing in on the web site of the provider.
Authentication message:
2011-06-14T20:48:11;2625EB8066391C8B 473304BAC2240260 6585BEA867AF4502
2A08D2DDAD5B0B83 FF5A931017284A8D 7DBFB241A24C90EE
Security Token:
3F57972AABEA964A 3CA945B8BFFB00B2 8AAEEE180F3B31CE B04C5F62D57B36EE 88466EBAB9818D31
1D40D50DAE5F3FB2 5004F00664DC69D2 9AA8FE6C06F98993 9BC39E2F8CF5DF29 57E62D38E65E7152
28E55E3E0CF4896F B588284A208AC14D ACA88E5B6F93378D F3FE5938366C620A F2AA9892ABAC8873
2C916A707B232F28 FEB4639D58120680 4BDBB240C4958C02 70D5C489F3560A29 5061F2C28AE0EFF1
3BC2057E0254F934 63D92396987A8F8A B60FAC2FB3E17151 D89DFCEBD3A43B99
3. Server authentication
- Server receives security token and uses client Certificate to decipher the authentication message. Timestamp is then evaluated against company's rules and accepted or rejected.
When valid timestamp is accepted, server then uses part of the Certificate to verify client signature. Since the client is the only person who can generate correct signature,
valid signature is proof of legitimate authentication request and no password is necessary. If the signature is valid,
user is granted access into the system.
See examples of Security Token.
For more information contact:
Robert Janik (robert.janik@guardedkey.com)
Copyright (C) 2011-2016 Robert Janik, Brno, Czech Republic
|