dss itsec conference 2012 - vasco - tech 2.0
DESCRIPTION
Presentation from Riga, Latvia. "Data Security Solutions" Ltd. ITSEC Conference.TRANSCRIPT
![Page 1: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/1.jpg)
© 2012 - VASCO® Data Security
Strong Authentication … … in details
Kuznetsov Alexander Technical Account Manager
![Page 2: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/2.jpg)
© 2012 - VASCO® Data Security
VASCO Core Activities
![Page 3: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/3.jpg)
© 2012 - VASCO® Data Security
3
DIGIPASS Go Range
DIGIPASS for Mobile
DIGIPASS for Web
DIGIPASS E-signature DIGIPASS Reader
DIGIPASS Nano Virtual DIGIPASS
DIGIPASS PKI DIGIPASS for Windows
Overview DIGIPASS
![Page 4: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/4.jpg)
© 2012 - VASCO® Data Security
Federal Reserve Briefing 4
Evolution of Authentication Devices S
ec
uri
ty L
ev
el
Virtual
keyboards
Time-based
OTP Phishing
Pharming
Counter-based
OTP
Meaningful
user prompts
WYSIWYS
MitM with Social Engineering
Sophistication Level of Attacks
Electronic
signature
MitM
Keyloggers
Static
Passwords
![Page 5: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/5.jpg)
© 2012 - VASCO® Data Security
Evolution of Authentication platforms
5
Security
Ease
of
Use
Flexibility
Cost
![Page 6: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/6.jpg)
© 2012 - VASCO® Data Security
6
DIGIPASS Go Range
DIGIPASS for Mobile
DIGIPASS for Web
DIGIPASS E-signature DIGIPASS Reader
DIGIPASS Nano Virtual DIGIPASS
DIGIPASS PKI DIGIPASS for Windows
VASCO Software DIGIPASS
![Page 7: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/7.jpg)
© 2012 - VASCO® Data Security
Market leader: Digipass for Mobile 4.0
Focus: Strong Security!
Weak PIN detection, Device Binding, Time+Event Based
Dedicated authentication application in your mobile device
![Page 8: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/8.jpg)
© 2012 - VASCO® Data Security
DP 4 Mobile: why?
Easy to integrate
Included web samples
Easy to deploy
Three provisioning options
Easy to use
Intuitive graphical user interface
Easy to customize
Use your own colors and logos
for Mobile
8
![Page 9: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/9.jpg)
© 2012 - VASCO® Data Security
Supported Mobile Platforms
Android OS 2.2 and later
iOS 4.1 and later
BlackBerry OS 5.0 and later
MIDP2 compatible devices
Windows Mobile / Phone
9
![Page 10: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/10.jpg)
© 2012 - VASCO® Data Security
DP 4 Mobile Editions
Standard
Fully customizable
Customer responsible for provisioning process
Enterprise
Not customizable
Only authentication
3DES, Time Based, Decimal 2
VASCO responsible for provisioning process
10
![Page 11: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/11.jpg)
© 2012 - VASCO® Data Security
Step 1: Software Package Download
Enterprise Server
+ HTTP download
+ Local Install
+ HTTP download
+ Local Install
HTTP download
+ Local Install
11
![Page 12: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/12.jpg)
© 2012 - VASCO® Data Security
Step 2: Activation Modes
Offline activation
QR code activation
Online activation
12
![Page 13: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/13.jpg)
© 2012 - VASCO® Data Security
Offline Activation
DIGIPASS Serial Number
Activation Code
Reactivation Password
DIGIPASS Serial Number
Activation Code (21 Digits)
Reactivation Password
+ Local Password
13
![Page 14: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/14.jpg)
© 2012 - VASCO® Data Security
QR Activation
14
![Page 15: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/15.jpg)
© 2012 - VASCO® Data Security
Online Activation
Identifier
Authorization Code
Activation Password
AAL2GenActivationCodeXErc
Encrypted Full Activation Data =
(Encrypted with activation password)
Static Vector
+ Serial Number Suffix
+ Activation Code
+ Reactivation Counter
+ Nonce
3 4
Identifier
+ Autorization Code
+ Nonce
1
AAL2GenActivationDataRndKey
2 Generate Nonce
5 Activate with
activation
password
15
![Page 16: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/16.jpg)
© 2012 - VASCO® Data Security
AAL2VerifyPassword
Step 3: OTP Post Activation
2 1
Response
OTP
16
![Page 17: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/17.jpg)
© 2012 - VASCO® Data Security
Post Activation Device Binding
AAL2DeriveTokenBlobs
3 2
Response
Serial Number
+ Derivation Code
Platform
Finger
1
17
Can also be done offline
![Page 18: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/18.jpg)
© 2012 - VASCO® Data Security
Full Picture
18
![Page 19: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/19.jpg)
© 2012 - VASCO® Data Security
DP4Mobile – Challenge/Response
![Page 20: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/20.jpg)
© 2012 - VASCO® Data Security
DP4Mobile - QR Challenge/Response
![Page 21: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/21.jpg)
© 2012 - VASCO® Data Security
Customization: Mobile Provisioning
…
21
![Page 22: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/22.jpg)
© 2012 - VASCO® Data Security
Customization: Post Activation
22
![Page 23: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/23.jpg)
© 2012 - VASCO® Data Security
Customization: Mobile Settings
23
![Page 24: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/24.jpg)
© 2012 - VASCO® Data Security
Customization: Multilanguage
One XML file per language
\CustomizationTool\input\xml
Can also be used for #looks
24
![Page 25: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/25.jpg)
© 2012 - VASCO® Data Security
Test your Digipass for Mobile
Already now, go get your DIGIPASS at:
http://dp4mobile.demo.vasco.com/dp4mobile/
![Page 26: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/26.jpg)
© 2012 - VASCO® Data Security
DIGIPASS SDK: Software engine
DIGIPASS SDK
J2ME (Java, BlackBerry)
iPhone OS (Objective C)
WindowsMobile 5.0+ / Windows Phone
Symbian OS (2nd to 5th editions)
Android
Integration partners
Clear2pay, Monext, Lemonway
mFoundry
FundTech …
Banking applications
HSBC
GarantiBank
Alfa-Bank
26
![Page 27: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/27.jpg)
© 2012 - VASCO® Data Security
DIGIPASS: The building blocks
27
DIGIPASS
Encryption
Algorithm
Storage
By VASCO
A Generated code
Secret
Secret
That changes
Time Event Challenge User
Interface
Time
Is Protected
Encryption Algorithm
Human Readable
Truncation
Parameters
![Page 28: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/28.jpg)
© 2012 - VASCO® Data Security
DIGIPASS
Encryption
Algorithm
Storage User
Interface
Time
By VASCO
Parameters
Secret
DIGIPASS
Encryption
Algorithm
Storage User
Interface
Time
By VASCO
Parameters
Secret
Platform
X
Application
Core
The same concept on a different platform
28
Communication
Interface
Storage
Time
Time Shift
Encryption
Algorithm
Storage
Secret
Parameters Static Vector
Dynamic Vector
User
Interface
DIGIPASS
SDK
User
Interface
Time
![Page 29: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/29.jpg)
© 2012 - VASCO® Data Security
Software DIGIPASS: Secure Platform
29
![Page 30: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/30.jpg)
© 2012 - VASCO® Data Security
Software DIGIPASS: Platform Scoring
30
Jail broken?
Infected?
Location?
Behavior?
![Page 31: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/31.jpg)
© 2012 - VASCO® Data Security
Software DIGIPASS: Application Security
31
Device Binding
Application Signing & Obfuscation
External Audit
True Random Key generation
Slow Encryption Function
Secure Key provisioning
![Page 32: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/32.jpg)
© 2012 - VASCO® Data Security
Software DIGIPASS: Native Integration
32
![Page 33: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/33.jpg)
© 2012 - VASCO® Data Security
DIGIPASS NANO: Secure Component
33
![Page 34: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/34.jpg)
© 2012 - VASCO® Data Security
Digipass Nano
34
Test your DPNANO sample at
http://dpnano.demo.vasco.com
More Security
More Convenience
SIM Toolkitmenu
![Page 35: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/35.jpg)
© 2012 - VASCO® Data Security
Intel IPT: Integrated DIGIPASS in your PC
35 Federal Reserve Briefing
![Page 36: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/36.jpg)
© 2012 - VASCO® Data Security
Intel IPT drivers
Hardware security level
Regular password logon experience
No shipping!
Central provisioning
Large penetration potential
36
![Page 37: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/37.jpg)
© 2012 - VASCO® Data Security
Digipass for Web + Intel IPT
37
DP4Web applet:
• Activation through VASCO
• Generate OTP
• Generate e-signature
• Supported by all VASCO server solutions
![Page 38: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/38.jpg)
© 2012 - VASCO® Data Security
VASCO Server Side offering
38
![Page 39: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/39.jpg)
© 2012 - VASCO® Data Security
VASCO Identikey Server
Single point of Authentication
Hardware
Software
Smart
Cards
Custom web applications
Citrix, OWA, etc.
VPN, SSLVPN, Firewall, etc.
![Page 40: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/40.jpg)
© 2012 - VASCO® Data Security
Functional architecture
Front-End Integration
PostgreSQL
Back-End Authentication
Web-based Administration • User & DIGIPASS
Administration
• Reporting
SOAP
SEAL
RADIUS
SOAP IIS Web Applications
Customer Web Applications
RADIUS Client RADIUS LDAP via Windows API via Custom API
Database
Apache Tomcat Webserver
ODBC
Directory
AD
LDAP/LDAPS
Command Line TCL
Active Directory Users & Computers
SEAL
Domain Login
SEAL
![Page 41: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/41.jpg)
© 2012 - VASCO® Data Security
Identikey Server features
Authentication and e-signature validation Server
Strong authentication validation
Transaction data signing – e-Signature
DIGIPASS Family ready (including SMS)
Policy based authentication
Different policy for each application
Automatic creation of users
Auto-assigning of the DIGIPASS to the User
Easy to Integrate in your front-end application
RADIUS protocol (Authentication)
SOAP protocol – Web-services
SAML protocol – Federation authentication
High-availability and scalability model
Load balancing (primary and backup servers)
DB availability control service
41
![Page 42: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/42.jpg)
© 2012 - VASCO® Data Security
Identikey Server features
Centralized Web-based administration interface
DIGIPASS & User management
Domains & Organizational units
Policy management
Application management
System management
Delegated administration
> 80 Different administrative priveleges
Reporting capabilities
28 standard reports available
Custom reports
Admin access can be protected by OTP
System and performance monitoring capabilities
Fully PCI-DSS compliant
42
![Page 43: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/43.jpg)
© 2012 - VASCO® Data Security
DIGIPASS Authentication for Windows Logon
• DAWL features:
• Offline authentication (up to 30 days)
• Force OTP
• Password Randomization
• PSM – Password Synchronization Manager
• DCR – Dynamic Client Registration
• DNS reverse Lookup
• Terminal Server authentication
`
![Page 44: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/44.jpg)
© 2012 - VASCO® Data Security
`
Windows
LDAP
SEAL-SSL
Windows
SEAL
+ PSM
DAWL – Architecture
![Page 45: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/45.jpg)
© 2012 - VASCO® Data Security
What is DIGIPASS as a Service
![Page 46: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/46.jpg)
© 2012 - VASCO® Data Security
Supported Types of Authenticators
![Page 47: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/47.jpg)
© 2012 - VASCO® Data Security
API vs Web Interface
![Page 48: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/48.jpg)
© 2012 - VASCO® Data Security
Availability
![Page 49: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/49.jpg)
© 2012 - VASCO® Data Security
MYDIGIPASS.COM
49
![Page 50: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/50.jpg)
© 2012 - VASCO® Data Security
MDP: concept
50
End-user Website
Validation ok
Validation
DIGIPASS as a
Service
Front-end
Back-end
1 2
3
![Page 51: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/51.jpg)
© 2012 - VASCO® Data Security
MDP: Launch pad & Marketplace
51
![Page 52: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/52.jpg)
© 2012 - VASCO® Data Security
MDP: available today
3 types of DIGIPASS Hardware DP GO6
Software Mobile DP
Software DP4Web with Intel IPT
QR-code autologin
52
![Page 53: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/53.jpg)
© 2012 - VASCO® Data Security
DEMO
List of valid time-based OTP’s
Additional digits
Speeds up verification of an OTP
Optional
Used for first OTP validation
Time granularity Standard 32 seconds
Interval between 2 successive time
units
List of valid counter-based OTP’s
Generated by host
Randomly
Sent to user
![Page 54: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/54.jpg)
© 2012 - VASCO® Data Security
Thank You
Alex Kuznetsov Technical Account Manager EE-CIS
![Page 55: DSS ITSEC Conference 2012 - VASCO - Tech 2.0](https://reader036.vdocuments.net/reader036/viewer/2022082310/55683c8fd8b42a26518b49df/html5/thumbnails/55.jpg)
© 2012 - VASCO® Data Security
Copyright
2011 VASCO Data Security. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of VASCO Data
Security.
Trademarks
VASCO®, VACMAN®, IDENTIKEY®, aXsGUARD®, DIGIPASS® and the ®
logo are registered or unregistered trademarks of VASCO Data Security, Inc.
and/or VASCO Data Security International GmbH in the U.S. and other countries
Disclaimer of Warranties and Limitations of Liabilities
This Report is provided on an 'as is' basis, without any other warranties, or
conditions.
Copyright & Trademarks
55