MobilePASS. Security Features SOFTWARE AUTHENTICATION SOLUTIONS. Contents

Similar documents
ipad in Business Security Overview

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

MobilePASS for BlackBerry OS 10

white paper SMS Authentication: 10 Things to Know Before You Buy

Software Token Enrollment: SafeNet MobilePASS+ for Apple ios

Salesforce1 Mobile Security White Paper. Revised: April 2014

TECHNOLOGY LEADER IN GLOBAL REAL-TIME TWO-FACTOR AUTHENTICATION

Who s Protecting Your Keys? August 2018

NotifyMDM Device Application User Guide Installation and Configuration for Android

Progressive Authentication in ios

User Manual: SuisseID Signing Service by QuoVadis

PKI Credentialing Handbook

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

NotifyMDM Device Application User Guide Installation and Configuration for ios with TouchDown

Creating Trust in a Highly Mobile World

Augmenting security and management of. Office 365 with Citrix XenMobile

Google Identity Services for work

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Apple OS Deployment Guide for the Enterprise

Vidder PrecisionAccess

Yubico with Centrify for Mac - Deployment Guide

BlackBerry Dynamics Security White Paper. Version 1.6

SafeNet Authentication Manager

Adding value to your MS customers

OATH-HOTP. Yubico Best Practices Guide. OATH-HOTP: Yubico Best Practices Guide Yubico 2016 Page 1 of 11

SecureDoc Disk Encryption Cryptographic Engine

Integration Guide. SafeNet Authentication Service (SAS)

Product Brief. Circles of Trust.

PKI is Alive and Well: The Symantec Managed PKI Service

SafeNet MobilePASS+ for Android. User Guide

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Identity and Authentication PKI Portfolio

Integrating Password Management with Enterprise Single Sign-On

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

User Manual: SuisseID Signing Service by QuoVadis

TFS WorkstationControl White Paper

BlackBerry 2FA. Datasheet. BlackBerry 2FA

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

Cisco Desktop Collaboration Experience DX650 Security Overview

Salesforce Mobile App Security Guide

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

Echidna Concepts Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

Overview. Premium Data Sheet. DigitalPersona. DigitalPersona s Composite Authentication transforms the way IT

Colligo Briefcase. for Good Technology. Administrator Guide

VMware Horizon Workspace Security Features WHITE PAPER

Busting the top 5 myths of cloud-based authentication

RSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief

MaaS360 Secure Productivity Suite

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Protect your business in today s fast-changing security and risk environment.

Securing Today s Mobile Workforce

Securing Office 365 with MobileIron

Deployment Scenarios June Microsoft Exchange ActiveSync. Standards-based Servers. Virtual Private Networks. Digital Certificates

Mobilize with Enterprise Security and a Productive User Experience

SafeNet Authentication Service. Push OTP Solution Guide

Authentication Methods

KT-4 Keychain Token Welcome Guide

Aerohive and IntelliGO End-to-End Security for devices on your network

User Self-Administrative Web Guide

VA REMOTE ACCESS (updated 12/20/16)

Integration Guide. SafeNet Authentication Manager. Using SafeNet Authentication Manager with Citrix XenApp 6.5

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

WHITE PAPER. Authentication and Encryption Design

Mobile Devices prioritize User Experience

Banner SSL VPN User Guide

SurePassID ServicePass User Guide. SurePassID Authentication Server 2017

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Managing Devices and Corporate Data on ios

SxS Authentication solution. - SXS

The Security Behind Sticky Password

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Hosts have the top level of webinar control and can grant and revoke various privileges for participants.

Integrated Access Management Solutions. Access Televentures

Secure Your First BlackBerry Dynamics App

SAP Single Sign-On 2.0 Overview Presentation

SAP Security in a Hybrid World. Kiran Kola

PCI DSS Compliance. White Paper Parallels Remote Application Server

Citrix SSO for ios. Page 1 18

Codebook. Codebook for OS X Introduction and Usage

ipad in Business Deployment Scenarios November 2010 Microsoft Exchange ActiveSync Standards-Based Services Virtual Private Networks

Single Sign-On Showdown

Administering Jive Mobile Apps for ios and Android

RSA Authentication Manager 8.0 Security Configuration Guide

LinQ2FA. Helping You. Network. Direct Communication. Stay Fraud Free!

Remote Access. Application Viewer User Guide

Phil Schwan Technical

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

KODO for Samsung Knox Enterprise Data Protection & Secure Collaboration Platform

HOMELESS INDIVIDUALS AND FAMILIES INFORMATION SYSTEM HIFIS 4.0 TECHNICAL ARCHITECTURE AND DEPLOYMENT REFERENCE

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

SafeNet Authentication Service

ENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION

Storage Made Easy. Mirantis

efolder White Paper: HIPAA Compliance

MICROSOFT (MS) INTUNE IOS/ANDROID DEVICE ENROLLMENT

VAM. Epic epcs Value-Added Module (VAM) Deployment Guide

81 -key The Power of a Touch. ID DIRECTOR for Windows. Microsoft Partner. Adress 3349 Highway 138 BLDG A STE E Wall, NJ 07719

Storage Made Easy. SoftLayer

Transcription:

MobilePASS SOFTWARE AUTHENTICATION SOLUTIONS Security Features Contents Introduction... 2 Technical Features... 2 Security Features... 3 PIN Protection... 3 Seed Protection... 3 Security Mechanisms per Operating System... 5 Summary... 12 About SafeNet Authentication Solutions... 12 List of Tables Table 1 MobilePASS Security Mechanisms for Apple ios... 5 Table 2 MobilePASS Security Mechanisms for Android... 6 Table 3 MobilePASS Security Mechanisms for Microsoft Windows Desktop... 7 Table 4 MobilePASS Security Mechanisms for BlackBerry OS 10... 8 Table 5 MobilePASS Security Mechanisms for BlackBerry OS 6... 9 Table 6 MobilePASS Security Mechanisms for Microsoft Windows Phone 7... 9 Table 7 MobilePASS Security Mechanisms for Mac OS X... 10 Page 1 of 12

Introduction SafeNet s MobilePASS family of one-time password (OTP) software authentication solutions combines the security of proven two-factor strong authentication with the convenience, simplicity, and ease of use of OTPs generated on personal mobile devices or PCs. By turning a mobile phone into a two-factor authentication device, organizations save significantly on hardware and deployment costs, while users benefit by not having to carry an additional hardware token around with them. MobilePASS is available for all leading mobile devices, including BlackBerry, iphone, Android, Windows Phone7, Mac OS and Windows desktop. The purpose of this document is to review the various security mechanisms that are designed to protect the MobilePASS application, OTP seeds and other MobilePASS functionalities from malicious activity or in the event that a user s mobile device is misplaced, stolen or lost. Technical Features Over-the-Air Automatic Activation: MobilePASS enables automatic activation over the mobile device data connection link. The automated activation is easy to use by the end user, and at the same time enforces enterprise policies for the token settings. During MobilePASS automatic activation, users provide an activation credential that is delivered to the user out of band. The one time activation credentials ensure that the token is indeed activated by the authorized user. The MobilePASS application establishes a secure communication channel with the Authentication server s activation service and sets the OTP secret that is used to generate one OTP. Policy Driven Activation: MobilePASS tokens are activated in accordance with policy settings configured in the authentication server. The policy settings managed in the server control which users are authorized to activate MobilePASS tokens as well as the appropriate security settings of the application, such as PIN quality, device qualification and lockout policy. The activation policy setting enables flexible and effective policy management, enforcing the appropriate level of security. Comprehensive OTP Algorithm Support: MobilePASS tokens support industry standard OTP generated algorithms, from the OATH initiative (http://www.openauthentication.org). The solution enables OTP tokens to be used with Time synchronous Algorithm (TOTP), Event Synchronous (HOTP) or Challenge-Response (OCRA) algorithms. The OTP algorithm used is determined by policy settings in the SafeNet token management server along with any additional security settings. o The use of standards based algorithms that have gone through public scrutiny and the ability to match the proper algorithm and policy setting to the different user communities enables a conscious implementation that lets organizations mitigate risks with security mechanisms. MobilePASS SDK: In addition to the mobile applications, MobilePASS ships with an SDK that allows the embedding of MobilePASS security functionality within other mobile applications. The availability of the SDK enables the creation of customized apps and software tokens that are compatible with the SafeNet authentication solutions and enjoy the same level of security and functionality. Enhanced PIN complexity: Support for numeric and alphanumeric PINs as well as the ability to set a token policy disallowing trivial PINs Page 2 of 12

Security Features SafeNet is committed to ensuring the security of the MobilePASS software authentication solution. Below are key security features that are built into the software token implementation to secure the operation and management of the MobilePASS solution. PIN Protection 1. Device PIN Protection: Most mobile device comes with a device PIN protection option that allows the mobile user to designate a secret PIN which is then required in order to unlock the device for use. Enabling this PIN protection mechanism provides users with the first layer of defense in preventing unauthorized users from gaining access to the MobilePASS application stored on the device and generating passwords. 2. Mobile Application PIN Protection: While the device PIN protection is a mobile device feature, MobilePASS also includes optional token PIN protection instead or on top of the device PIN. IT policy can be set to control and enforce PIN length and lockout policy 3. OTP PIN Protection: An additional OTP PIN may also be required by the authentication server policy in order to login to the protected application. By using the OTP PIN at the server layer, even if a token application is compromised, the unauthorized user would still need to know the OTP PIN in order to successfully login to the application. Such OTP PIN length and lockout policy are also configurable in the authentication server policy settings. Seed Protection Generating a One-time Password (OTP) in a secure fashion relies on a secret key that is shared between the OTP generator application (or device) and the OTP validation server. The secret key is referred to as the OTP seed. Ensuring the seed is not compromised is a key security aspect of OTP authentication. As such the OTP seed used by MobilePASS needs to be protected at: Enrollment to secure the OTP from leaking seed during the activation process Mobile Device to secure the OTP seed stored the mobile device Authentication Server to secure the OTP seed stored by the server to validate authentication requests Following are the key mechanisms used to protect the MobilePASS OTP seed: Secure activation protocol - While the automated activation process is performed over a Secure Socket Layers (SSL) transport, the activation process of MobilePASS tokens also uses the DSKPP protocol (RFC 6063 is available at http://www.ietf.org/rfc/rfc6063.txt ) to secure the OTP seed key exchange. The DSKPP protocol used is the four pass variant which ensures that there is a secure key exchange between the MobilePASS application and the MobilePASS activation service on the backend and that the OTP seed is never transmitted over the communication line. The DSKPP authentication data is transferred using the enrollment email. The activation information is valid for one activation - and for a short period of time. When the activation process is started, the enrollment information is passed to the MobilePASS application including user authentication code. Page 3 of 12

1. Secure seed server storage once activated, MobilePASS s OTP seed is encrypted by the SafeNet Authentication server and can be further protected by using a Hardware Security Module (HSM). 2. Dynamic seed generation - with SafeNet MobilePASS, the OTP seed is not predefined on the server side and transmitted to each device. Instead it is randomly generated throughout the enrollment process of the MobilePASS authenticator and set on the client and server side during the activation process. This prevents multiple instances of the MobilePASS application using the same seed. 3. Secure device seed storage Once generated, the MobilePASS application stores an encrypted OTP seed in a protected storage using mobile device specific mechanisms. The goal is to protect the seed from being used by other applications or users, and from being copied to another device. Security of the stored data is affected by the following considerations: Key Store Access which applications and users can access the stored key Key Encryption how is the stored key protected from other user access Copy Protection how is the stored key protected from being duplicated to another device 4. Intruder Key Reset MobilePASS can be configured to resist incorrect PIN attacks using the token policy setting. When an incorrect PIN is entered for more than the predefined treshold the token gets reset as token data is erased. Page 4 of 12

Security Mechanisms per Operating System Tables 1 through 7 below provide platform specific implementation details on how each of the mechanisms detailed in the section above are implemented in each operating system. Mobile Platform Security Feature Mechanism Comment MobilePASS 8.4 for Apple ios Key store Access The OTP seed is stored in the ios KeyChain KeyChain enables sandboxed keys per application. This means that each application only has access to its own KeyChain elements. Therefore, no other applications are able to read the MobilePASS KeyChain data. Key Encryption The OTP seed is encrypted with AES 256 before it is stored by the application. For the AES encryption, a data encryption key is randomly generated by the MobilePASS application. The data encryption key (DEK) is used to encrypt the token OTP seed using AES256. When the server policy does not require a PIN, a hardcoded default PIN is used in the derivation process instead of a user chosen PIN. The DEK is encrypted with AES 256 using a key encryption key (KEK). The KEK is not stored, but rather dynamically derived from the user PIN and from additional phone specific data. Copy Protection MobilePASS KeyChain elements are non- migrate-able so that backup and restore are not supported IOS 6 or later. Certification MobilePASS relies on native ios FIPS 140-2 validated crypto libraries. Details on Apple ios crypto libraries validation can be found here and here. Table 1 MobilePASS Security Mechanisms for Apple ios Page 5 of 12

Mobile Platform Security Feature Mechanism Comment MobilePASS 8.3 for Android Key store Access The encrypted OTP seed is stored on the Android OS in the MobilePASS application's private folder. Files saved to in an application private folder are only accessible by the application - no other application can access the folder. When the user uninstalls the application, these files are removed. Key Encryption The OTP seed is encrypted with AES 256 before it is stored by the application. For the AES encryption, a data encryption key is randomly generated by the MobilePASS application. The data encryption key (DEK) is used to encrypt the token OTP seed using AES256. When the server policy does not require a PIN, a hardcoded default PIN is used in the derivation process instead of a user chosen PIN. The DEK is encrypted with AES 256 using a key encryption key (KEK). The KEK is not stored, but rather dynamically derived from the user PIN and from additional phone specific data. Copy Protection The MobilePASS application is marked with the allowbackup attribute set to false, to prevent it from being backed up from the device. The allowbackup attribute determines if an application's data can be backed up and restored. Code is run through obfuscation APK process to deter reveres engineering efforts Table 2 MobilePASS Security Mechanisms for Android Done over the entire installation package Page 6 of 12

Mobile Platform Security Feature Mechanism Comment MobilePASS 8.4 for Microsoft Windows Desktop Key store Access Secure Key Storage The MobilePASS application uses Windows Data Protection (DPAPI) to secure the OTP seed. DPAPI ensures that for each user on a system, a different set of encryption keys is maintained and used to encrypt the key storage. File System Protection - The file is stored in %AppData% (typically points to C:\Documents and Settings\<user dir>\application Data) which provides another level of security from other users of the system. Key Encryption The OTP seed is encrypted with AES 256 before it is stored by the application For the AES encryption, a data encryption key is randomly generated by the MobilePASS application. The data encryption key (DEK) is used to encrypt the token information and seed using AES256. When the server policy does not require a PIN, a hardcoded default PIN is used in the derivation process instead of a user chosen PIN. The DEK is encrypted with AES 256 using a key encryption key (KEK). The KEK is not stored, but rather dynamically derived from the user PIN and from additional phone specific data. Copy Protection The file contents are encrypted using Windows Data Protection (DPAPI) which means it cannot be used by any other user on the same machine and any user on any other machine. Certification MobilePASS relies on Microsoft Windows validated crypto libraries Table 3 MobilePASS Security Mechanisms for Microsoft Windows Desktop Details on Windows crypto libraries validation can be found here. Page 7 of 12

Mobile Platform Security Feature Mechanism Comment MobilePASS 8.3 for BlackBerry OS 10 Key store Access The encrypted OTP seed is stored on the Blackberry Android runtime framework in the MobilePASS application s private folder. Files saved to the internal storage are private to the particular application and other applications cannot access them (nor can the user). When the user uninstalls the application, these files are removed. Note: The MobilePASS application is based on the Android runtime environment in Blackberry and the MobilePASS for Android application codebase. Key Encryption The OTP seed is encrypted with AES 256 before it is stored by the application. When the server policy does not require a PIN, a hardcoded default PIN is used in the derivation process instead of a user chosen PIN. For the AES encryption, a data encryption key is randomly generated by the MobilePASS application. The data encryption key (DEK) is used to encrypt the token OTP seed using AES256. The DEK is encrypted with AES 256 using a key encryption key (KEK). The KEK is not stored, but rather dynamically derived from the user PIN and from additional phone specific data. Copy Protection The MobilePASS application is marked with the allowbackup attribute set to false, to prevent it from being backed up from the device. Table 4 MobilePASS Security Mechanisms for BlackBerry OS 10 The allowbackup attribute determines if an application's data can be backed up and restored. Page 8 of 12

Mobile Platform Security Feature Mechanism Comment MobilePASS 8.3 for BlackBerry OS 6 Key store Access MobilePASS is protected by the SafeNet private key. The SafeNet private key is part of the BlackBerry Access Protection (ControlledAccess API) system that prevents unauthorized applications from accessing the protected data. Key Encryption The OTP seed is encrypted using AES-128 before it is stored by the application. The encryption key is derived from the application PIN. Copy Protection MobilePASS application data is protected by the SafeNet private key, which prevents the data from being accessed by a backup application. The data therefore cannot be backed up. Table 5 MobilePASS Security Mechanisms for BlackBerry OS 6 Mobile Platform Security Feature Mechanism Comment MobilePASS 8.2 for Microsoft Windows Phone 7 Key store Access The encrypted OTP seed is stored on the Windows Phone 7 using an isolated storage mechanism. Files saved to the isolated storage are private to the particular application and other applications cannot access them. When the user uninstalls the application, these files are removed Key Encryption The OTP seed is encrypted using AES-128 before it is stored by the application. The encryption key is derived from the application PIN. Table 6 MobilePASS Security Mechanisms for Microsoft Windows Phone 7 Page 9 of 12

Mobile Platform Security Feature Mechanism Comment MobilePASS 8.2 for Apple Mac OS X Key store Access The OTP seed is stored in the MAC OS KeyChain store. The encryption key is derived from the application PIN. Key Encryption The OTP seed is encrypted using AES 256 before it is stored in the key chain. The encryption key is derived from the application PIN. When the server policy does not require a PIN, a hardcoded default PIN is used in the derivation process instead of a user chosen PIN. Key to keychain is derived from non-migratable Copy Protection device parameters like serial ID/hardware UUID. Hence the application will not be able to access the keychain when OS backup is restored to a different machine. Table 7 MobilePASS Security Mechanisms for Mac OS X Page 10 of 12

Automation and Token Management 1. Dynamic re-seeding: if needed, MobilePASS can be easily re-enrolled which reseeds the application with new OTP seeds. 2. Immediate revocation option: in situations where a mobile device is stolen, lost or cracked, the MobilepPASS user notifies their IT administrator who can immediately revoke access for that specific MobilePASS authenticator by disabling it or deleting it from the Authentication Server. This ensures minimal security exposure to the corporate information system. Further, the user selfenrollment and over-the-air deployment capabilities enable quick and easy installation of a new MobilePASS authenticator on the user s replacement device. 3. Clock tamper detection: A known attack on Time-based passcodes is to change the device time ahead so that OTPs can be harvested for future use. MobilePASS can detect if the device time has been recently changed and will prompt the user to confirm whether the device time is currently accurate or not. If the user confirms that the current time is accurate, it means that the device clock has been tampered with. In this case the token will be revoked and the user will be asked to go enroll a new token. 4. Event-based passcode delay policy: In order to prevent generating a large number of passcodes in a short period of time, MobilePASS supports a delay policy between passcode generation events. The delay prohibits generation of a new passcode for the allotted time duration. Time delay duration can be configured to 10, 30 or 60 seconds. Page 11 of 12

Summary MobilePASS offers powerful protection and access control for remote and local network access. It is compatible with the broadest range of mobile clients, and provides secure and convenient access to remote systems, such as VPNs, Citrix applications, Cloud applications, Outlook Web Access, and Web portals. It also offers strong authentication for secure local network access. With the enhanced authentication capabilities and security mechanisms, organizations can be assured of multi-layered protection, including: Support for both device and software PINs Immediate license revocation and re-activation Protection from replication and duplication OTP seed encryption About SafeNet Authentication Solutions SafeNet s strong authentication solutions, delivered as-a-service or on-premise, offer fully-automated, highly secure authentication with the widest choice of authentication methods and form factors. Strong authentication is made easy through the flexibility and scalability of automated workflows, and with extensive self-service portals, contributes to significant reductions in total cost of ownership. With no infrastructure required, SafeNet authentication solutions enable a quick migration to cloud environments, and protect everything, from cloudbased and on-premise applications, to networks, users and devices. For more information regarding SafeNet s complete portfolio of authentication solutions, visit http://www.safenet-inc.com/authentication. Page 12 of 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback