a l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó

a l a d d I n. c o m Aladdin Product Lines Software Rights Management – Copy protection, IP protection and secure licensing solution for software vendors Software Publishers and Embedded System Vendors Solutions for access, authentication and password/digital identity management Enterprise Education Finance Biopharm Government TARGET MARKET Web gateway content security and proactive security Enterprise Education Government and ISP’s DRM ENTERPRISE SECURITY

a l a d d I n. c o m Data is everywhere Servers Workstations (LAN) Laptops Mobile

a l a d d I n. c o m Identity Theft There are two kinds of companies: those who have experienced a data breach, and those who will.

a l a d d I n. c o m Identification, Authentication and Strong Authentication Benefits of Strong Authentication Aladdin Strong Authentication Product Offering Strong Authentication and Beyond STRONG AUTHENTICATION

a l a d d I n. c o m Evidence of identity; something that identifies a person or thing The condition of having the identity (of a person or object) established The unique data, name, number or code, identifying a certain object or person The process of specifically identifying an object from a large class of objects through reading symbols Identification IDENTIFICATION

a l a d d I n. c o m Identification – Real World Name, Paper Certificate (ID Card, Driver’s License…) Physical Appearance

a l a d d I n. c o m Identification – Computer Systems Username Digital Certificate RFID Biometrics

a l a d d I n. c o m Identification - Usernames Most dominant identification factor Easily Obtained

a l a d d I n. c o m Identification – Digital Certificates Identifies a User, Computer, Server X509V3 is the latest standard Subject to Human Error (Trust)

a l a d d I n. c o m In computer security, verification of the identity of a user or the user's eligibility to access an object The process of identifying an individual or data. In security systems, authentication is distinct from authorization. Authentication merely confirms that the identification of the individual or data is accurate Simply put, authentication is verifying identity. Authentication is the process of determining whether someone or something is actually who or what it asserts itself to be The process of verifying the claimed identity of an individual user, machine, software component, or any other entity Authentication

a l a d d I n. c o m Authentication Methods Passwords One Time Passwords Public/Private Key Pairs (Digital Certificates) Biometrics METHODS AUTHENTICATION

a l a d d I n. c o m Passwords

a l a d d I n. c o m Passwords – Insecure and Costly Simple passwords – easy to guess Complex passwords – hard to remember Passwords are rarely changed Passwords can be shared “Not only are passwords insecure… Gartner Group and Forrester Research put the cost of resetting a password at about $50, while a survey from software giant Computer Associates estimated 70% of help desk calls concern password replacements” Source: , Identity thieves target firmswww.cryptocard.com

a l a d d I n. c o m One Time Passwords An OTP (one-time password) system generates a series of passwords that are used to authenticate Once one of the passwords is used, it cannot be used again The logon system will always expect a new one-time password at the next logon

a l a d d I n. c o m One Time Password - Tokens Password is generated on the device (token) Zero footprint, Platform independent Battery Operated (limited lifetime) Strong Authentication when combined with PIN code

a l a d d I n. c o m One Time Password – Soft OTP Software generated Variety of devices (Cell. Phone, PDA, Laptop, PC) Low cost solution (compared to token) Limited control Distribution Overhead (of the OTP program)

a l a d d I n. c o m One Time Password over SMS Challenge-Response system Generate the challenge on the Web, via SMS, etc’ Main problem is reliability (usability concern) SMS Costs is also a concern (in large volumes) High TCO / Limited ROI

a l a d d I n. c o m Public-Private Key Pairs (Dig. Certificates) Digital Certificates contain the Public Key After trust is established, mathematical operation authenticates Allows mutual authentication (protocol dependant) Private key must be protected

a l a d d I n. c o m Digital Certificates on Smart Cards Dedicated Hardware Secure – on-board key generation and storage Allows personalization Costly and less convenient – requires a reader

a l a d d I n. c o m Digital Certificates on USB based Smart Cards Dedicated Hardware Secure – on-board key generation and storage Reader-less Portable

a l a d d I n. c o m Biometrics Can provide both functions: Identification and Authentication Physiological / Behavioral Costly Complex to install (FAR/FRR) Privacy Issues

a l a d d I n. c o m Strong Authentication Strong authentication means using two or more authentication methods What you are Authentication – the three ‛what’s What you haveWhat you know User Name: Password: x 

a l a d d I n. c o m Enhanced online services 24x7 secure access to sensitive business information Enhanced productivity (single sign-on) Digital signing of transactions Secure PCs and laptops Reliable Authentication Enables Business

a l a d d I n. c o m eToken Product Offering

a l a d d I n. c o m OTP or PKI?

a l a d d I n. c o m Strong Authentication and Beyond OTP Provides Strong Authentication Smart Tokens with PKI will take you beyond: Authentication Encryption Signing

a l a d d I n. c o m Strong Authentication and Beyond Source: eToken Customer Survey PKI PKI PKI PKI PKI PKI PKI PKI OTP

a l a d d I n. c o m eToken Devices eToken PRO –USB, reader-less smart card eToken PRO Smartcard –eToken PRO in traditional smart card form factor eToken NG-OTP –First ever USB smart card token with One-Time Password generation capabilities eToken NG-FLASH –USB smart card token with encrypted Flash memory for portable mass data storage eToken PASS –One Time Password Authenticator

a l a d d I n. c o m SafeWord 2008

a l a d d I n. c o m Köszönöm megtisztelő figyelmüket