ActivCard Strong Authentication product line. Jerome Becquart, Senior Product Manager

Transcription

1 ActivCard Strong Authentication product line Jerome Becquart, Senior Product Manager

2 A little history Strong Authentication products since 1994 Over 2.5 Millions devices, 1 Million in 2000 alone More than 60 financial institutions worldwide: Barclays, Lloyd, Forenings Sparbanken, Deustche Bank, ABN Amro,, DBS, UOB, Credit Mutuel,, St Georges Bank

3 ActivCard Strong Authentication technology One Time Password Patented Synchronous Algorithm Challenge Response X9.9 Compliant implementation User Authentication, Host Authentication, and Message Authentication DES and 3DES Ease of Use PIN protection (2 factors Authentication) with flexible policy

4 ActivCard Product Overview ActivCard Gold ActivCard One, + ActivReader KeyChain Token mid for SIM mid for palm Unique variety of Authentication client: ActivCard Tokens ActivCard Gold and ActivReader mid family of software based Authentication solution

5 ActivCard Token Family line ActivCard Plus is EOL New ActivCard One, the ActivCard One V2, replacement for the ActivCard Plus. New Form factor: the KeyChain Token All product supports physical Customization (Logo & Overlay) and Message Customization.

6 ActivCard One V2 Replacement for ActivCard Plus 3DES support Data Authentication (Message Authentication) Available in September 2001

7 Token Latour (KeyChain) Support 3DES Standard customization option Durable design Disposable (3 years battery life) Very simple GUI Limited keyboard (6 keys) Available in September 2001

8 ActivCard Gold and ActivReader Choice of Different SmartCard: Cryptoflex, Palmera, WPSC, etc.. Multi-function card with PKI and Static Password on top of the standard ActivCard SKI Authentication module New Form factor: The USB Dongle Corton.. First release in August 2001, with a Cryptoflex 16K core. ActivReader with Token Application: A bridge between token and SmartCard based Authentication. Supports Cryptoflex 8K card.

9 ActivCard mid New Authentication client targeted at Mobile devices User Authentication Time and Counter based (Synchronous) Challenge/Response (Asynchronous) PIN Protected DES and 3DES Two different platforms: The SIM Tool Kit based platform, and the Mobile Operating System platform. Trade off between security and ease of installation

10 mid for SIM Tool Kit (Evangile( Evangile) SIM Tool Kit based implementation Application pre-loaded at Manufacturing Personalization (Key loading and parameters) Over The Air (SMS). Local Authentication and SMS based Authentication First implementation on OCS SimphonIC to be released in September Schlumberger GalactIC and WPSC before end of the year. Secure as Keys are stored in a SmartCard,, but dependent on Network operator to load applet in the SIM

11 mid for Mobile OS(l Angelus) Software based Authentication module on different Mobile Operating System platform ( Palm OS, EPOC, Pocket PC ). First release: mid l Angelus: Palm Operating system: July 2001 Second Release on EPOC (Ericsson R380 and kia 9210) in Q4. Software and application can be loaded locally or remotely. DES keys stored encrypted using a PKCS#5 Session Key generation mechanism using the PIN as main input. Less Secure than SIM approach, but less constraint in term of deployment, and independent of any Mobile Phone standard (GSM, CDMA, etc..)

12 mid Angelus (2) Local PIN verification Unlock Mechanism Authentication keys are stored encrypted on the device PIN is used to generate the encryption key Wrong PIN = Wrong Authentication PIN Serial Number PKCS#5 compliant algorithm Encryption Key Encrypted Authentication Key DES Authentication Key

13 Devices functionality chart Device User Authentic ation Host Authentic ation Message Authentic ation 3DES Secret Value Gold * ActivCard Plus Token One Token One V2 KeyChain mid The Gold Card and Dongle also offers PKI and Static Password functionalities

14 Management and Initialization Tools ActivCard Management SDK 1.2 (June 15 th 2001) Support for new devices such as mid, KeyChain and Token One V2 as well as existing one (Gold, Token One) New API: ActivCard nconnected API Secret Value not supported anymore (ActivCard Plus not supported) All components provide support for 3DES and MAC ActivCard Package Init tool (name TBD) Replacement for ActivInit to support new devices Next version of Management tool Monterey

15 Initialization policy Different options: Initialization at Manufacturing based on a profile defined by the e customer, keys are then sent on a floppy disk to the customer, to import it into his database. Local initialization at the customer (or third party) facility using u either a custom tool build upon the Management SDK, or a package solution such as ActivPack, ActivInit,, etc.. Remote Initialization at the end user Integration based on ANCInit (Management SDK) and in the near future Monterey

16 Initialization policy (2) Devices Manufacturing Local Initialization Remote Initialization Gold * * (Monterey) ActivCard Plus ActivCard One Planned ActivCard One V2 Planned KeyChain Planned mid for Palm (ANCInit( ANCInit)

17 Devices & Back-end chart(1) Devices ActivCard Management tool ActivChart ActivInit Management SDK Gold * (up to 1.3) ActivCard Plus ActivCard One ActivCard One V2 KeyChain mid

18 Devices & Back-end chart(2) Devices Package solutions ActivPack for NT 3.1 ActivPack for NT 4.3 ActivPack for NDS 1.1 ActivCard Gold * (up to 1.3) ActivCard Plus ActivCard One ActivCard One V2 KeyChain mid

19 Competitive chart (devices) Competitive chart (devices) Token Token (*) (*) RSA RSA Planned Planned (*) (*) Vasco Vasco ActivCard ActivCard SIM Token SIM Token PDA PDA Token Token USB USB Dongle Dongle SmartCard SmartCard KeyChain KeyChain

20 Mobile Phone Authentication Two different mode offline and Online Client Station ActivCard Management Suite Off-line use GSM Internet native Token SIM Online use SMS TCP/IP Content provider SMS GW

21 Off-Line Mode The Software Token on the GSM phone can be used as a hardware Token. User Browses with his PC, and when needed uses his phone to generate a One Time Password, that he enters on his PC keyboard. easy to use, can use existing infrastructure

22 Online mode Authentication is done on line. The Security back-end send the challenge via the SMS gateway to the Phone The Phone send back the response via SMS Easier for the customer, only PIN entry is requested, but more impact on the infrastructure (connection of the SMS gateway to the security back- end) and may cost the customer money (cost of SMS message)

23 Authentication over WAP using SKI Directory Who are you? SIM tool Kit based Token Authentication Code ActivCard SKI Authentication Module Native Token WAP WTLS WAP Gateway SSL Service Provider

24 Authentication w: SKI Advantage: Available now Compatible with existing Back-end need for a PKI infrastructure (CA, RA, etc..) Less data to exchange for an Authentication (response size)

25 Authentication w: SKI (non WAP Model) SMS-C Gateway PIN Entry Authentication Code (Code) Authentication Request (Phone Number, Challenge) Authentication Request (Username, Challenge) Service Request (Username) Authentication Code (Username, Code) Authentication Request (Username, Challenge, Code) Access to Service granted Service Provider Authentication result Authentication Server

26 Transaction Example Merchant WAP (phone based) Online (PC, Set top box, etc..) Brick and Mortar. 1) Goods selection User gives a Username/Wallet location 7) Send Transaction Approval 2) Send Transaction details, Request Authorization 4) User verify transaction Enter PIN Validates 3) Request Authentication 3) Request Authentication 5) Send Authentication code Mobile Gateway 5) Send Authentication code Server based Wallet Directory: User Name Wallet location Financial Institution

27 ActivCard solution Merchant WAP Online (PC, Set top box, etc..) Brick and Mortar. Authentication module (SIM Tool Kit, SmartCard, etc..) Application manager Issuance Portal Card Management Module Mobile Gateway Directory SKI Authentication Module Service Provider Module LDAP or Oracle RDBMS Directory

28 PKI with current phone Compatible with Visa 3D or MasterCard SPA model SIM tool Kit based Token Authentication Authentication Module native Token Server Based Wallet * PKI keys * Credit Card Number, etc.. Service Providers

29 mid Initialization (SIM) Pre-initialization: The applet and the keys are preloaded in the SIM. Post issuance: the applet and the keys are downloaded later on a SIM (when the user subscribe to the service for example). Due to current bandwidth limitation, for mid Evangile, pre-loading of the applet at Manufacturing is recommended.

30 mid Initialization (Mobile OS) Application Code: Two cases: Device is open The application can be downloaded anytime from a web site. However in some rare cases (Ericsson R380) the applet has to be loaded at Manufacturing. Parameters and Keys: The parameter and keys can be loaded manually (manual init) or in connected mode (Palm conduit). In any case the Keys are encrypted under a PKCS#5 generated session key.

31 Security The Authentication Keys are loaded in the SIM module (SmartCard). And are protected by a PIN. In the case of post-issuance, ActivCard provides an optional PKCS#5 based transport key mechanism (no shared key needed between the phone and the secure server).

32 Post Issuance PKCS#5 mechanism The applet is send over the air, with the key(s) in encrypted form. The Key to decrypt the keys is generated using a PKCS#5 mechanism, and a PassPhrase (input of the PKCS#5) is sent independently to the user. In order to start the application for the first time, the user will w need the PassPhrase,, and will have to select his PIN.