|
Organizations that wish to use strong authentication have a variety of methods from which to choose. These methods range from simple username/password mechanisms that exist in every operating system to hardware-based one-time password (OTP) tokens, biometric, smart card and PKI systems. However, all of these solutions confirm an old security adage: “inexpensive, easy, and secure - choose two”. In the past, authentication solutions were either easy to use and inexpensive, but insecure (such as username/password) or very secure but expensive or difficult to implement (such as OTP tokens and smart cards). Arcot offers a third option: WebFort®, a 100% software, two-factor authentication solution. WebFort delivers the right balance of cost, convenience, and strength.
Introducing the ArcotID®
At the heart of WebFort is the ArcotID. The ArcotID is the only “Software Smart Card” on the market today. It combines the protection for digital IDs like a hardware smart card with the lower cost and simplicity of a software solution. The ArcotID provides strong, two factor authentication. It is a 100% software solution that allows organizations to replaces simple username/password or OTP tokens with the strength of PKI, without changing the user experience.
The ArcotID features an easy-to-use and familiar username/ password user interface. It integrates quickly with existing infrastructures with support for standards such as RADIUS-based OTP, SAML, MS CSP and PKCS#11. Unlike traditional software key containers, the ArcotID resists brute-force attacks using patented “Cryptographic Camouflage”1 technology to hide the private key from would-be attackers.
In addition to strong authentication, the ArcotID enables PKI applications such as electronic document signing, secure email, and secure ecommerce. As a 100% software solution, the ArcotID enables organizations to leverage the advantages of Public Key Infrastructures without the expense and management issues inherent with hardware-based secure key storage.
An Introduction to Public Key Infrastructures Public Key Infrastructure (PKI) exists to provide secure online authentication services. Prior to public key cryptography, the principle of a “shared secret” formed the basis of authentication. This time-honored system of passwords, pass phrases, and secret handshakes required both parties to arrange to share a piece of information. The critical problem was (and continues to be) how to share a particular piece of information between parties when there is a potentially unlimited number of participants. The number of shared secrets grows at the rate of the square (N2) of the number of participants.
A better system is a central authority, trusted by all parties, that is responsible for authenticating every party. This central authority provides all parties with credentials that anyone can verify, based on the characteristics of the credential itself. A good example of this is a passport issued by the government. The government requires specific forms of proof of identity before issuing a passport and includes tamper-evident technology in the passport itself to reduce the probability of forgery. Once issued, the passport is a selfcontained authentication credential.
Public-Key Cryptography
The basis for PKI is Public Key Cryptography, also known as “asymmetric key” cryptography. Public Key cryptography is a form of encryption where two mathematically related “keys” (seemingly random strings of numbers) can be used to encrypt (scramble) and decrypt (unscramble) messages and data using a computer. Messages encrypted with one key can only be decrypted with the other key and vice versa.
The crucial advantage of this property is realized when these keys are used in a very specific way. If one of the keys is kept secret by the owner but the other is tied to the owner’s identity, certified (notarized) by a trusted third party (similar to a government issuing a passport) and widely published, the infrastructure for digital signing is created. In the digital world, this is called a Public Key Infrastructure or PKI.
In this scenario, if the secret or “private” key is used to encrypt a message, then only the widely published and certified key (or “public” key) will decode the message correctly. If one can be reasonably sure that the secret or private key was not stolen, then one can assume that the decrypted message was indeed sent by the person whose identity information is contained in the certified public key. This is the basis for digital signatures.
|
