In the past, authentication solutions were either easy to use and inexpensive, but insecure (such as username/password) or very secure but expensive or difficult to implement (such as OTP tokens and smart cards). Arcot offers a third option: WebFort, a software-only, two-factor authentication solution. It delivers the right balance of cost, convenience, and strength.
W H I T E P A P E R
®ArcotID
Technical Whitepaper
August 2007®ArcotIDTechnical Whitepaper
W H I T E P A P E R
"Since the invention of Organizations that wish to use strong authentication have a variety of methods frompublic key cryptography which to choose. These methods range from simple username/password mecha-twenty-five years ago, peo- nisms that exist in every operating system to hardware-based one-time passwordple have been struggling to secure the private key (OTP) tokens, biometric, smart card and PKI systems. However, all of these solu-without the assistance tions confirm an old security adage: "inexpensive, easy, and secure - choose two".of hardware. Arcot's In the past, authentication solutions were either easy to use and inexpensive, butinnovative Cryptographic insecure (such as username/password) or very secure but expensive or difficult toCamouflage has solved this implement (such as OTP tokens and smart cards). Arcot offers a third option:problem. Finally there is a ®WebFort , a 100% software, two-factor authentication solution. WebFort deliverscost-effective and conven-ient means to strongly the right balance of cost, convenience, and strength.authenticate users and ®Introducing the ArcotIDtransactions over the At the heart of WebFort is the ArcotID. The ArcotID is An Introduction to Public Key InfrastructuresInternet without the need the only "Software Smart Card" on the market today. It Public Key Infrastructure (PKI) exists to providefor cumbersome hardware." combines the protection for digital IDs like a hardware secure online authentication services. Prior to publicMartin HellmanProfessor Emeritus, smart card with the lower cost and simplicity of a soft- key cryptography, the principle of a "shared secret"Stanford University ware solution. The ArcotID provides strong, two factor formed the basis of authentication. This time-honoredauthentication. It is a 100% software solution that system of passwords, pass phrases, and secret hand-allows organizations to replaces simple shakes required both parties to arrange to share ausername/password or OTP tokens with the strength piece of information. The critical problem was (andof PKI, without changing the user experience. continues to be) how to share a particular piece ofinformation between parties when there is a potentiallyThe ArcotID features an easy-to-use and familiar user- unlimited number of participants. The number of2name/password user interface. It integrates quickly shared secrets grows at the rate of the square (N ) ofwith existing infrastructures with support for standards the number of participants.such as RADIUS-based OTP, SAML, MS CSP andPKCS#11. Unlike traditional software key containers, A better system is a central authority, trusted by allthe ArcotID resists brute-force attacks using patented parties, that is responsible for authenticating every"Cryptographic Camouflage"1 technology to hide the party. This central authority provides all parties withprivate key from would-be attackers. credentials that anyone can verify, based on the char-acteristics of the credential itself. A good example ofIn addition to strong authentication, the ArcotID this is a passport issued by the government. The gov-enables PKI applications such as electronic document ernment requires specific forms of proof of identitysigning, secure email, and secure ecommerce. As before issuing a passport and includes tamper-evidenta 100% software solution, the ArcotID enables organi- technology in the passport itself to reduce the proba-zations to leverage the advantages of Public Key bility of forgery. Once issued, the passport is a self-Infrastructures without the expense and management contained authentication credential.issues inherent with hardware-based secure key stor-age. Public-Key Cryptography1. "Software Smart Cards via Cryptographic Camouflage", D.N. The basis for PKI is Public Key Cryptography, alsoHoover and B. N. Kausik, Proceedings of the 1999 IEEE known as "asymmetric key" cryptography. PublicSymposium on Security and Privacy, IEEE Computer Society.Patent 6,170,058
1ArcotIDWhitepaper
Key cryptography is a form of encryption where two math- Currently, the primary use of digital certificates is forematically related "keys" (seemingly random strings of authentication. The significant advantages of certificate-numbers) can be used to encrypt (scramble) and decrypt based authentication over othe... [download for more]
