The Advanced Encryption Standard (AES) was introduced in 2000.
One of the two important factors that make an encryption standard hard to break is the encryption process (encryption algorithm).
The second factor in making an encryption standard hard to break, especially a standard based on symmetric key cryptography, or a shared secret, is the key length. In general, the longer the key, the harder it is to figure it out by just trying random strings of characters. The AES can use a key length of 128, 192 or 256 bits.
The algorithm to be chosen also had to be made available to the public without royalty fees. After years of testing and multiple comment cycles, the Rijndael algorithm, written by two Belgium cryptographers, was adopted as the AES and was published as FIPS 192.
There is an inherent weakness in a symmetric key process because the key has to be transferred from the sender to the receiver as well as the encrypted text. Frequently, AES is used as part of a set of encryption tools where an asymmetric encryption method is used to transfer the key.
American National Standards Institute
100% Successful SMS Passcode Delivery
The key strategy for successful use of SMS for delivering passcodes is resolving intermittent network coverage and SMS delivery delays. Choice is key. SecurAccess’ patented methods resolve these issues by utilising:
Authentication is a process where a person or a computer program proves their identity in order to access information. Proof is the most important part of the concept and that proof is generally something known, like a password; something owned, like your ATM card; or something unique about your appearance or person, like a fingerprint…
Strong authentication will require at least two of these.
Automatic Time Re-sync
When a user travels overseas, typically their phone will sync to the new country time once they have arrived at destination. The OATH compliant algorithm then derives passcodes based upon this new time, which could be many hours forward or backwards in time.
In a security context, biometrics and biometric authentication refer to using a person’s physical characteristic in order to authenticate them for access to a resource.
Some of the characteristics commonly used include those of the eye, face, voice, fingerprints or the shape of a hand. Since these characteristics are unique and change very little over time, they offer strong proof of the person’s identity. Since these authentication systems are much more expensive to acquire and maintain, they are often used for access to very sensitive or classified information.
It’s easier to attack the stored comparison statistics or images than it is to copy the unique physical characteristic so this becomes a weak point of biometric authentication. These items need to be carefully secured. In addition, biometrics are usually used as a part of a two-factor or strong authentication management system where a password or something known must also be used to gain access.
California AB 1950 and SB 1386
California AB 1950 and SB 1386 are two privacy bills, now laws in the State of California, that require organizations to notify Californians if their personal information is disclosed during a security breach.
SB 1386 was passed in 2002 to become effective on July 1, 2003. This law is directed at state agencies and businesses operating in California.
AB 1950 was passed in 2004, and became effective January 1, 2005. It added medical information to the information to be protected and extended the responsibility to organizations outside of the State, if they collect information about California residents. It does not apply to organizations that are subject to other privacy laws.
Chip Authentication Program (MasterCard)
Card Management Systems (CMS)
Card Management Systems (CMS) provide support for the use of cryptographic cards, often called smart cards, in an organization. While the specific functions may vary depending on the vendor, in general, CMS provide the software and hardware mechanisms to create cards and bind them to the identity of the person who will use the card to authenticate to various systems.
Most products include the ability to manage USB or hardware tokens as well as PKI certificates. Great security but not very versatile for the smart device user that doesnt have a usb port or that wants to travel light!
It’s important that the cryptographic modules and interfaces are standards based to ensure interoperability with access controls to many kinds of resources. FIPS compliance adds an additional level of assurance.
Client device identification
Certificate Authority, Certification Authority (CA)
A certification authority, or CA, holds a trusted position because the certificate that it issues binds the identity of a person or business to the public and private keys (asymmetric cryptography) that are used to secure most internet transactions.
When a business or person wants to use these technologies, they apply to a Certification Authority. The CA collects information about the person or business that it will certify.
The processes that use the public key, such as a web browser, check the certificate to make sure that it comes from a trusted CA and may also check to be sure that the information is consistent with the way that it’s being used.
Chip and PIN
This initiative began in the UK that requires companies who issue credit and debit cards with new IC cards that require a PIN.
Information on the chip is much harder to access than it is on the older magnetic strip card. Two factor authentication is provided by the presence of the card and the fact that the card carrier knows the PIN. The card carrier has three tries to enter the PIN. Three wrong attempts and the card is locked and unusable until the card issuer is contacted.
Credentials, Credential Store
Credentials are sets of information that the owner presents in order to prove identity to a computer-based application. Although this is a general term and can be used for many kinds of credentials, the problem of storing credentials is most commonly discussed in the context of asymmetric cryptography where credentials consist of certified public keys. Common credential stores include databases, directories and smart cards.
A digital signature uses encryption technology to do two things: 1. it proves that the message hasn’t been changed in transit, called message integrity, and 2. it also links ownership to the information, called non-repudiation.
In order to prove that the message wasn’t changed the message is cryptographically transformed to a set of values, called a hash or a digest. The hash or digest is also sometimes referred to as a fingerprint because statistically, the chance of this hash or digest being the same value for any other message is almost impossible. The hash or digest is sent along with the message and the same transformation is run at the other end. Any attempts to alter the information in transit will result in a message that no longer matches its digital signature.
In order to link ownership, before the message is sent, a second operation is performed. The private key of the sender is used to encrypt the hash or digest. The receiver uses the sender’s public key to decrypt the digest. This proves that the message could only come from the person who holds the private key.
A directory service, in the technical sense, is very much like a directory service in the real world. A real-world directory service lets you look up a telephone number when you know someone’s name and location. In the same way, directory services on computers let you look for other computers, e-mail addresses, files and folders, and many other objects and attributes.
For instance, when your computer asks for a login ID and password, it will check them against a directory and then look in that directory or a related one to see what kinds of access rights you have in that computing environment. In modern networked environments, even printers and hardware devices are objects in a directory.
For a directory service to look up information it has to be stored in a standardized format, the most widely used are based on X.500 with its DAP and LDAP specifications.
Dynamic Passcode Authentication (Visa)
Dunn & Bradstreet (D&B)
The recognised method to gain a true and accurate credit rating for quoted companies.
Europay, MasterCard and Visa
A security system that verifies the identity of a remotely connected device (and its user) such as a smart device or laptop before allowing access to enterprise network resources or data.
EU Data Protection Directive
This regulation allows the free flow of personal data between member states of the European Union with the level of adequate protection. Organizations must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
A federated identity is a single user identity that can be used to access a group of web sites bound by the ties of federation. Without federated identity, users are forced to manage different credentials for every site they use. This collection of IDs and passwords becomes difficult to manage and control over time, offering inroads for identity theft.
Federated identity management builds on a trust relationship established between an organization and a person. A federated identity makes it possible for the consumer to use this same trust relationship to access information with another, related company without establishing new credentials.
Federal Information Processing Standard (FIPS) 140, is a generic term that refers to code, in software or firmware, that performs one or more security functions. The Standard sets requirements for cryptographic modules to be used in sensitive but non-classified government systems. The requirements are leveled from level one, lowest, to level four, highest; to be appropriate for use in situations with varying needs for the protection of information. Cryptographic modules that are approved for use in classified systems may be substituted as they would generally have even more security features.
GINA is a generic acronym for the Graphical Identification and Authentication, the subsystem that handles the logon presentation to the user. The Microsoft GINA is represented by the logon screen that pops up on the PC when the user presses Ctrl+Alt+Delete.
Graphical user interface
One of the ways that a person can authenticate to a computer system or application is by using a small, portable hardware device called a hardware authenticator; sometimes called a security token.
Hardware authentication was designed to make strong authentication, also called two-factor authentication possible. So in addition to proving possession of the hardware device, a PIN or a password is usually needed. Proving possession of the device can be done in several ways, depending on the device. Some hardware authenticators are synchronized by time or event to a server and propose a one-time password that’s displayed on the device and can be used to prove possession. Others take a challenge code from the login system and present a new code to be used for login. And others simply plug into a USB port on the computer or mobile device.
Two parts of a comprehensive law for the medical industry, Health Insurance Portability and Accountability Act (HIPAA), are especially important for their security implications. A portion of the law, the Administrative Simplification provisions were developed to encourage the industry to work with healthcare information in its electronic forms. The provisions included standards for protecting the privacy of patients and for information security.
HOTP is an HMAC-based One Time Password algorithm. It is a cornerstone of Initiative For Open Authentication (OATH). HOTP was published as an informational IETF RFC 4226 in December 2005, documenting the algorithm along with a Java implementation. Since then, the algorithm was adopted by many companies worldwide (see below) and became the world’s leading standard for event-based OTP authentication. The HOTP algorithm is a freely available.
Hashed Message Authentication Code
Identity and Access Management (IAM)
Abbreviated to IAM, identity and access management refers to all of the policies, processes, procedures and applications that help an organization manage access to information.
Best practices and important rules such as Sarbanes-Oxley (SOX) in corporate governance, the Health Information Portability and Accountability Act (HIPAA) in healthcare, and the Gramm-Leach-Bliley Act (GLBA) in financial services all require organizations to escalate protection of certain kinds of records. And yet, information must be available to the people who need it. Large organizations need to tie risk analysis and policy development to sophisticated applications that can help them empower employees, investors, customers, partners and many others.
Identity theft is the theft of the credentials that we use to do business. When access controls are inadequate, the credentials that people use to authenticate to their credit card companies, banks or shopping sites may be disclosed to the wrong people. In addition, thieves have developed many ways to use e-mail and the Internet to collect this information.
Once perpetrators have the information they can use it as if they were the victim, running up credit card debt, or taking money out of bank accounts or investment savings.
IPSec, short for “IP Security” is the name of a security architecture and set of protocols commonly used to construct a VPN. These services work at the IP (Internet Protocol) or network layer and provide confidentiality and authentication as the packets move through networked devices.
A simplified explanation of the way it works starts with the need for both ends of the conversation to have public/private key pairs. Asymmetric cryptography/PKI is used for each end to authenticate and to negotiate a shared secret key that’s used for the rest of the session. That part of the protocol is called Internet Key Exchange (IKE). Once the secret key is negotiated and shared, protected with public keys, the receiver can be sure that the information wasn’t changed and that it’s from the other party, since only the other party knows that secret key.
IPSec allows one of two modes, one where the packets are encrypted between end points, called transport mode, and one where the packets are encapsulated yet again to go through a gateway device, called tunnel mode.
Prepared by the British Standards Institution (as BS 7799) and then adopted by the Joint Technical Committee ISO/IEC JTC 1 in 2000, ISO 17799, is an internationally respected standard for information security.
The following topics are addressed in the standard, primarily at a managerial level:
Previously refered to as BS7799
The current name for ISO17799. A quality standard used in setting a benchmark to attain and consistently deliver agaisnt.
Sorry, there appears to be no recognised terms associated with that request.
Key logging software runs in the background, in a stealth mode that isn’t easy to detect on a PC. It collects every keystroke and hides that information in a file.
Sophisticated key loggers do much more than just log keystrokes. They can monitor the applications that are used, the URL’s that are visited and much more. And they can do this in ways that are very difficult to detect.
Lightweight Directory Access Protocol (LDAP) is a standard based on X.500, the OSI Directory Access Protocol (DAP). Just like a telephone directory will allow you to look up a telephone number by name, the LDAP standard for directories makes it possible for an LDAP complient client to look up information that’s contained in computer systems and networks. Devices on a network like printers and fax machines, users, e-mail addresses, and many more objects and attributes are stored in X.500 directories.
LDAP is a second generation protocol, stripped down a bit from the original DAP protocol but generally interoperable with it. It also works with more common Internet protocols.
Liberty Alliance, Liberty ID-FF
The Liberty Alliance Project is an organization of over 150 members comprised of business, non profit and government agencies. The alliance is developing an open standard for federated network identity.
A federated network identity is the combination of different IDs, passwords and other attributes known to all of the organizations that provide you with services. Liberty’s Draft architecture, Liberty ID-FF Architecture Overview Version: 1.2-errata-v1.0, describes a schema that would give the identity holder more control and more privacy, while at the same time requiring less frequent requests for credentials like IDs and passwords.
Message Authentication Code
Man-In-The-Middle Attacks (MITM)
In a man-in-the-middle attack, an attacker will control the communication between two parties by secretly controlling both sides of the communication stream. He can read and even change unencrypted information.
This attack can even defeat some encryption schemes. One of the scenarios where this attack could work with encryption, is with the use of private and public keys or asymmetric encryption. In theory, the attacker simply uses the public key of one of the parties to decrypt the data stream in the connection attempt and then encrypts the connection attempt with his own private key and authenticates as the initiating party. He does a similar decrypt/encrypt with the responses and both end parties see the encrypted information that they expect.
The convention of binding public keys to an individual or organization, through the use of a certificate authority (CA), is a countermeasure to this kind of attack. For example, when using SSL to work with secure web pages, the public key is bound by the CA to the web site’s URL. Browsers run checks and can report problems, including those that signal a man-in-the-middle attack. Untrained browser users and weak SSL implementations in browsers still make this attack possible.
.NET Passport is Microsoft’s solution for federated identity management. It offers single sign-on (SSO) to multiple web-based service providers, while protecting a user’s privacy in e-commerce transactions.
This program by Microsoft maintains identification and authentication services for people who register to their Passport program on the web. Registration allows the customer to use one ID (an e-mail address) and password at multiple Internet e-commerce sites with vendors who participate in the program.
Mutual authentication is when two parties both require proofs of identity before conducting business. In an e-Commerce transaction, for example, both the client browser and the web site would prove identity to the other party when the browser connects.
Near Field Communication (ISO/IEC 18092)
Initiative for Open Authentication (OATH) is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. It has close to thirty coordinating and contributing members and is proposing standards for a variety of authentication technologies, with the aim of lowering costs and simplifying their use.
OATH Challenge-Response Algorithm, an OATH OTP algorithm
Out of band
Open Mobile Alliance (OMA)
OMA is a membership organization that develops and promotes standards. Its focus is mobile data services used over devices like telephones, handheld computers or PDAs. The members consist of representatives from all sectors of the industry, including content, service and technology providers. This broad representation assures specifications that will operate seamlessly between networks and devices to provide consistent services for the consumer.
The organization works closely with other standard-setting organizations so that services on mobile devices will interoperate with and provide similar user interfaces to the stationary services that people use in other enviroments. Providing browser clients on cell phones, for example, requires the same kinds of authentication, authorization and other security measures over an open network, that are required when the browser sits on a wire-connected PC.
OTP (One-Time Password)
A one-time password can only be used once, hence its name! There are manymethods of one-time password systems including time-synchronous, event-synchronous and challenge-response technologies, along with multiple underlying cryptographic algorithms.Plastic tokens were once prevelant in the global market during the 1980’s and 1990’s until the method referrred to as tokenless was invented by SecurEnvoy and brought to market in 2000. Tokenless is the prefered method of authentication and is set to become the defacto standard in the market place.
SecurEnvoys SecurAccess tokenless authentication is an example of a one-time password system.
In 2012 the use of otp for allaowing local access to encrypted devices has also been made available. The frst of its kind is Sophos and SecurEnvoy joint partnership.
One-Time Password Specifications (OTPS) are a set of open specifications being developed by RSA for the use of one-time passwords (OTP). One-time passwords are difficult to guess because their lifetimes are so short. In addition, they protect against a related threat called replay. With traditional passwords, if the authentication handshake is recorded, it can be replayed by someone who shouldn’t have access. If the password can only be used once, this is not possible.
Password, Passcode, Pass Code
A password or its numerical form, sometimes called a passcode or PIN, is one of the simplest authentication methods. It is usually used with an identifier, as a shared secret between the person who wants access and the system that’s protected.
If it’s not encrypted, or if the encryption is easy to break, passwords and passcodes are vulnerable to eavesdropping and replay. And if it is encrypted, there are other attacks that are used. A brute force, or dictionary attack consists of an attack that just tries possibility after possibility until the right one is found. Utilities to help an attacker with this kind of attempt are easily found on the Internet. Short passwords, made of one simple word are the easiest to find with this kind of attack. So many administrators require pass phrases, complex combinations of word. Controls will also often require that numbers or special characters are used with the password or pass phrase, this makes it more random in nature and harder to guess.
In some environments, users must remember many complex passwords and pass phrases and end up writing them down near the computer. This becomes the vulnerability.
Payment Card Industry (PCI) Data Security Standard
The Payment Card Industry (PCI) Data Security Standard is an industry regulation developed by VISA, MasterCard and other bank card distributors. It requires organizations that handle bank cards to conform to security standards and follow certain leveled requirements for testing and reporting. MasterCard markets the program as their Site Data Protection (SDP) Program and VISA markets it as their Cardholder Information Security Program (CISP).
Pharming is an attack that takes advantage of the way that our computers locate web services. The browser uses DNS system which acts as a huge, lookup database distributed over different servers on the Internet. It uses DNS to find the IP address that is linked to a particular URL for a web site. The browser actually communicates with the web site using that IP address.
The attacker finds a way to link the IP address of a site that he controls to a valid URL in the DNS system and the browser is sent to the wrong location. The URL that’s shown in the browser looks correct and the attacker has probably copied the original pages enough to spoof a legitimate web site. This may fool the victim into entering real authentication information.
One of the most common ways that an attacker does this is to install a Trojan, software on the browser machine that puts this wrong information into the files that the computer uses to start the DNS process.
Other attacks are on servers on the Internet that provide DNS information; old and unpatched servers are most likely to allow a successful attack.
Personal identification number
A term to describe a collection of methods used to steal identities on the Internet. These methods use “social engineering” to make the user surrender their credentials.
The most common vulnerability that these methods exploit is that in most cases the person who receives an e-mail cannot authenticate the sender. It is very easy to spoof the information that appears in the field of an e-mail message. It is also easy to make a link or a URL that looks like it is an authentic bank or credit card company.
A common phishing attack is a simple e-mail message that looks like it comes from a bank or credit card company and asks the recipient to go to a web site to log in. When on that web site, their login ID and password are captured, and then the user is asked to confirm or correct some information about the user or their account. All of this information is collected and often used for theft.
Public-Key Infrastructure (PKI) is the infrastructure needed to support asymmetric cryptography.
Protection of the Seed records
The Seed records are dynamically generated by the Server/phone are and are stored with a FIPS 140 approved encryption algorithm, this encrypted data is generated and stored at the customer premise.
Account provisioning describes the tasks and framework for authorizing and documenting access. It’s the first step in user life-cycle management.
As people join an organization, or change responsibilities, someone needs to make decisions about the information resources that they need to do their job and these policies must be enforced with the appropriate applications. De-provisioning must be done efficiently when people leave the organization or no longer need certain rights.
Question and answer
QR Code Enrolment
End user convenience of enrolment and a simple process. For the organisation there is nothing they need to do. It is the choice of the user to choose whether they want their two factor authentication passcode sent via what device and by what method!
Remote Authentication Dial-In User Service (RADIUS), also known as RADIUS Authenticaion Server, was originally developed to provide centralized authentication, authorization, and accounting for dial-up access to a network.
Remote chip authentication, a generic term for EMV CAP/DPA
The ability to work remotely is referred to as Remote Access (RAS). Industry has adopted tokens and smart card technologies over the years and since the millenium the advent of tokenless, invented by SecurEnvoy, has been accepted as the modern alternative; reducing deployment cost, implementation costs and time and moreover ease of use and reduction of perational costs.
Radio Frequency Identification (RFID) uses radio waves to uniquely identify objects.
The tags can be active, containing a power source, or passive, simply bouncing a signal using the energy of the reader. Passive tags may be so small that they are hard to see; as of 2004, they can cost as little as 40 cents.
Their use in inventory control and retailing leads to comparisons to bar codes, which are also used in those applications. Bar codes are much less expensive to use but typically, only identify the manufacturer and the model; RFID tags are used to uniquely identify each unit.
Risk-based authentication requires various levels of authentication depending on the risk level of the transaction.
Using different devices at different timesfor many is a risk so based on the level of the risk depends on the amount and quality of the authentication to be provided. In principle this makes sense – a trusted machine versus an trusted one would require different levels of authentication. However actually in practice the user on a trusted machine woth cached credentials may not actually be who they say they are and the user on a non trusted device could be the right user but has to carry an authentication device with them to be able to logon. In both instances risk based authentication hasnt worked and in reality the user experience changes from one devce to another to the point the end user gets confused with the ue of remote access and feedback suggests a confused message is being given. A simple tokenless solution is what is needed; one that is easy to use with no hardware being needed, a consistent method of authentication in every circumstance and a user experience that doesnt change and confuse the user!
The RSA algorithm was invented by Ronald L. Rivest, Adi Shamir, and Leonard Adleman in 1977 and released into the public domain on September 6, 2000.
Public-key systems–or asymmetric cryptography–use two different keys with a mathematical relationship to each other. Their protection relies on the premise that knowing one key will not help you figure out the other. The RSA algorithm uses the fact that it’s easy to multiply two large prime numbers together and get a product. But you can’t take that product and reasonably guess the two original numbers, or guess one of the original primes if only the other is known. The public key and private keys are carefully generated using the RSA algorithm; they can be used to encrypt information or sign it.
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol that adds digital signatures and encryption to Internet MIME (Multipurpose Internet Mail Extensions) messages.
MIME is the standard for Internet mail that makes it possible to send more than text. A mail message is splits into two parts, the header, which contains the information needed to move the mail from the source to its destination and the body. The MIME structure allows an e-mail body to contain graphics, audio and many other features that improve communication over simple text. Almost all modern e-mail systems support it.
S/MIME added two kinds of security to e-mail. It added the ability to encrypt e-mail so that only the intended receiver could read it. It also added the ability to authenticate the author of an e-mail message. Both of these security measures depend upon asymmetric encryption, public-key technologies.
Since these activities require an appropriate public-key infrastructure, and must work in every popular mail package in order to be useful; an open, standards-based approach was required. RSA Security published the S/MIME standard, and some of the underlying technologies in 1997.
The Security Assertion Markup Language (SAML), was developed by the OASIS Security Services Technical Committee (SSTC). It provides an XML-based framework–both structures and processes–for authorities to exchange authentication, attribute and authorization information about a subject. The subject is usually a person, but may be a computer or other entity, as long as it exists in some security domain. SAML provides a standard way to do single sign-on (SSO) that works independently of the underlying business systems and therefore can be an integral part of Federated Identity Management (FIM).
The previous browser-based methods for maintaining identity during a session had serious deficiencies which the designers wanted to address, including the issues associated with using cookies to establish authenticated sessions. Cookies do not let one organization vouch for an entity that they’ve already authenticated, but SAML assertions support this.
Sarbanes-Oxley Act (SOX)
The Public Company Accounting Reform and Investor Protection Act, most commonly referred to as the Sarbanes-Oxley Act (SOX), is comprehensive legislation intended to reform the accounting practices, financial disclosures and corporate governance of public companies.
SOX mandates that organizations ensure the accuracy of financial information and the reliability of systems that generate it.
Mobile phone based tokenless two factor authentication for remote access; invented and aptented by SecurEnvoy ltd.
SecurCloud is about empowering the customer and offering choice, therefore providing all the benefits of Strong Authentication from one to hundreds of thousands of users all deployed within minutes by your chosen Cloud partner. For end users, our Cloud solution is offered by YOUR partner and this is YOUR choice.
Secure Copy Protection
locks the Seed record for generating passcodes to the phone. The innovative approach allows the SecurEnvoy security server to generate the first part of the seed, the second part of the seed is generated from a “Fingerprint” from the phone when time the Soft Token application is run for enrolment and each time the Soft Token application is run to generate a passcode.
SecurEnvoy is a registered trademark of SecurEnvoy.
Tokenless two factor authentication for disaster recovery and business continuity
In the event of an emergency, many organisations allow remote users to authenticate with a standard username and password. But this is when the need for secured access is at its highest: during emergency situations corporate defences are at their weakest and the threat from attack at its greatest.
The Security Server deletes the used passcode and any previous passcodes from the system, thereby alleviating any replay attacks from any used or any previous unused passcodes. This process is known as “Watermarking”.
Delivering secure email without prior relationship and with two factor authentication for non repudiation.
Enables you to send and receive email using Two-Factor authentication, encryption and SSL technology. Two-factor authentication is a security process that confirms user identities using two distinctive factors – something you have (your mobile phone) and something emailed to you (your pickup URL). By requiring two different forms of identification, you can make sure that the emails intended recipient is the only person who can read the mail.
Self service windows password reset using two factor authentication invented by SecurEnvoy and brought to market in 2007 with elements of the procedure patented.
Self service windows password reset using two factor authentication
A seed record is a symmetric encryption key, a shared secret between a hardware authenticator and an authentication server. The hardware authenticator, sometimes called a token, and the server work together in a time synchronous, or time dependent mode to provide a one-time password that the token holder enters at login.
The way it works is that the seed record is used to encrypt the clock time and the resulting code is used as a password. The server can authenticate by doing the same operation. Since only one device has that seed record, it proves that the person typing in the password possesses the hardware authenticator at the time of authentication.
Subscriber identification module
Single Sign-on (SSO)
Single sign-on (SSO) describes the ability to use one set of credentials, an ID and password or a passcode for example, to authenticate and access information across a system, application and even organizational boundaries. It may be called Web SSO when everything is accessed through a browser.
With SSO a person authenticates only one time for a particular working session regardless of where the information that they want to access is located. This process offers enhanced security over a simple synchronization of passwords.
A smart card is a credit card sized device that contains a tamper proof computer chip. When it is used for security, this chip can hold and protect various types of credentials that the bearer can use for authentication. Smart card authentication requires a card reader.
Smart cards, like tokens, were developed for strong or two-factor authentication. So in addition to swiping the card to prove ownership of the credentials contained on it–something he has–the owner usually has to enter a PIN or password–something the user knows.
The infrastructure to support smart cards must include a method to securely write the credentials to the card, usually a dedicated a computer and an application with administrator-only access to the server.
Short Message Service
Spoofing refers to a practice where attackers will change information in an e-mail header or in packets of information being sent over the Internet to make it look like the information came from another source.
One of the more common methods used to get a person to open a mail message containing a virus or Trojan is to spoof the address that appears in the “from” field. If the message appears to come from a friend or acquaintance, or a place where the person has an e-Commerce account, it is more likely to be opened.
Phishing attacks will usually combine this false e-mail information with a link to a spoofed web site. The web site will look like a person’s bank or an e-Commerce site because the attacker has copied graphics and logos from the real site. The attacker may use an html link in the e-mail that makes it look like the legitimate company, too. Although there are methods that a knowledgeable person can use to distinguish these spoofed messages and web sites, it’s best just to treat any information in an unsolicited e-mail with suspicion.
Although the Secure Sockets Layer (SSL) is a protocol designed specifically for web browsers to securely access web-based applications, the fact that it encrypts information and that it authenticates at least one of the parties, also makes it a Virtual Private Network (VPN).
Single Sign On – developed as a single point of access has been seen as the pivotal method of cloud services success. SSO has developed over the years and is now accepted as the method of choice, when married to a tokenless authentication method such as SecurEnvoys SecurAccess, buy players such as PasswrodBank in reducing time to market, reduction in password management cost and an increase in user adoption with ease of use and availability being number one reasosn to use SSO.
ll stored authentication data is generated and encrypted with AES 256-bit encryption and is kept within the customer LDAP server.
Strong authentication, also called two-factor authentication and multi factor authentication, is defined as two out of the following three proofs:
Using strong authentication provides more protection for sensitive information than a simple username and password can provide. Strong authentication, especially when combined with other practices like mutual authentication and non-repudiation offers a strong assurance that financial transactions are conducted by two known and trusted parties.
Symmetric Key Cryptography
Also called secret key cryptography, it relies on a shared secret. The entity that encrypts the plain text and the entity that decrypts the plain text both must know the key.
The two parties can arrange to exchange the key in some different way, sometimes called OOB for “Out of Bounds”. For example, I could send you something that I had encrypted via e-mail and then call the recipient on the telephone to relay the value of the key.
Symmetric key cryptography is often much faster than asymmetric or public-key cryptography so it’s preferred for encrypting large amounts of data. But the key length and complexity in current crypto systems don’t make it feasible to transfer the shared secret in a telephone call. So public-key technology is often used to encrypt only the shared secret. First the shared secret is decrypted and then symmetric key cryptography is used to efficiently decrypt the large blocks of data.
Total cost of ownership
Time Synchronous Authentication
Time synchronous authentication is an authentication method that relies on a timing value to authenticate the token bearer.
All token authentication applications work with an input value from some source. The input value is encrypted according to some algorithm, using a key. The encrypted value is displayed as a one-time password that the token bearer types into a computer or other device to gain access.
In time synchronous authentication, both the token, often called a hardware authenticator, and the server keep track of clock time. The clock time is the input value for the encryption process and it’s encrypted with the seed record. The resulting value is entered as a one-time password at the login prompt. The server does the same computation in order to authenticate the token bearer.
A token (sometimes called a security token) is an object that controls access to a digital asset. Traditionally, this term has been used to describe a hardware authenticator, a small device used in a networked environment to create a one-time password that the owner enters into a login screen along with an ID and a PIN. However, in the context of web services and with the emerging need for devices and processes to authenticate to each other over open networks, the term token has been expanded to include software mechanisms, too.
Tokenless is a trademark of SecurEnvoy and a term invented by them for the use of authentication without hardware devices such as tokens, smart cards or USB tokens.
Tokenless is a registered trademark of SecurEnvoy.
Trojans are a type of computer virus; programs written by an attacker to be placed on a victim’s computer to serve the uses of the attacker. They often arrive via e-mail and the web. Trojans get their name from the fact that these programs look like an innocent file, maybe a game or a legitimate utility. However, when the victim installs or runs the program it secretly installs malware on the victim’s computer.
Many Trojans just continue to earn their name by using information that they find on the host computer to send copies of themselves to other addresses, often using the e-mail address book of the victim.
Some of the worst Trojans, however, are spyware. They actually collect personal information from files on the computer or perform key logging to collect account IDs and passwords. It reports this information back to the attacker.
Time-based OTP, an OATH OTP algorithm
Two-factor authentication is also called strong authentication. It is defined as two out of the following three:
When information is particularly sensitive or vulnerable, using a password alone may not be enough protection. A stronger means of authentication, something the user is and something the user has combined with what the user already knows will be much harder to compromise.
A USB token, sometimes called a dongle, is a security token that works with the USB interface on a computer. It can also be called a hardware authenticator because it is a hardware device that is used for two-factor authentication or strong authentication.
The token holds multiple types of credentials, including multiple certificates, key sets, finger-based biometric templates, user names and passwords and software token seed records. One of the advantages to using a USB token is that a smart card reader is not required, however a usb port is required and so too is the need to carry a secondary device in addition to the device and the mobile! Deployment is also expensive and ardeous and not one to be undertaken lightly.
User Life-Cycle Management
User life-cycle management covers the entire process of identity management over time. It includes the technologies used for provisioning and password resets but it also includes the processes and policies associated with these technologies.
Who decides what access a user needs; how easy should it be for a user to reset a password; do we need different levels of authentication for highly sensitive information; and when do we disable a user’s account or delete it? These are all policy issues. The security architecture and tools that a company chooses need to support the policies in a way that’s consistent with the organization’s goals.
An organization needs to analyze the policies and tasks associated with provisioning access to information resources–this is highly visible to new customers, employees, or partners. But it also needs to look at frequently repeated tasks like password resets, moves and changes; to save time and reduce costs. A way to efficiently de-provision must be built into the architecture because un-used accounts, and accounts that are linked to people who no longer need access continue to be a major source of security breaches in the enterprise.
Virtual Private Networks (VPNs) allow private use of a public network. They enable mobile computers and other devices to connect to a company’s private network by creating an encrypted tunnel from the network that’s owned by the company, over the Internet and to the remote device on the other end. The most commonly used technologies to do this are Secure Sockets Layer (SSL) and IP Security (IPSec). These effectively extend the company’s network, creating a Virtual Private Network.
The costs tend to be lower than other kinds of remote access and the concept, from a network administration standpoint is simple. However, VPNs open up a couple of vulnerabilities that must be addressed. That device must be given the same level of protection as those inside the company doors or viruses can infect the corporate network. Secondly, when the physical security of the home office is not available; anyone may be able to pick up that device and try to use it. Extra care must be taken to authenticate the person who is using that device to connect to the network.
Web Access Management
Web access management enables organizations to carefully manage access rights to web-based resources on intranets, extranets, portals and exchange infrastructures. With growing numbers of internal and external users, and more and more enterprise resources being made available online, it is critical to ensure that qualified users can access only those resources to which they are entitled. Web access management does just that: it offers business rule-based access management that is easy to deploy and monitor for compliance.
In its simplest form, the definition of a web service is a communication between two applications.
Extensible Markup Language (XML) is a structured language. It’s called a meta language because it’s used to describe other languages, the elements they can contain and how those elements can be used. These standardized specifications for specific types of information make them, and the information that they describe, very portable.
Sorry, there appears to be no recognised terms associated with that request.
Sorry, there appears to be no recognised terms associated with that request.
Get in touch with our sales team to book a demo, request a 30-day trial, or just to chat about how we can help you.