Protiva ExecProtect Armored Office

Protiva ExecProtect

Armored Office

Solution Description

IDENTITY & ACCESS

ExecProtect Armored Office: Solution Description v1.0

All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.

Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.

This document can be used for informational, non-commercial, internal and personal use only provided that:

The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies.

This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made.

Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.

The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.

The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time.

Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document.

Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy.

© Copyright 2013 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.


Contents

1 Preface ................................................................................................................................. 6

1.1 Who should read this book .......................................................................................... 6 Contact Us ............................................................................................................................. 7 1.2 Executive overview ..................................................................................................... 7

1.2.1 Gemalto presentation ........................................................................................... 7 1.2.2 Gemalto's experience in the field: ........................................................................ 9

2 Introduction ....................................................................................................................... 10

2.1 Why multi-factor authentication? ............................................................................... 10 2.2 Multi-factor authentication solutions .......................................................................... 11

3 Overview of ExecProtect ................................................................................................. 14

3.1 ExecProtect Offer ...................................................................................................... 14 3.2 Functional Description / Use cases ........................................................................... 15

3.2.1 Authentication .................................................................................................... 15 3.2.2 Data protection ................................................................................................... 17 3.2.3 Secure channel .................................................................................................. 19 3.2.4 Signature ............................................................................................................ 20 3.2.5 Secure browsing ................................................................................................ 20 3.2.6 Failover mode .................................................................................................... 21

4 Detailed Offer .................................................................................................................... 23

4.1 Product description ................................................................................................... 23 4.1.1 Cards and tokens ............................................................................................... 23 4.1.2 Readers.............................................................................................................. 27 4.1.3 Administration tools ............................................................................................ 28 4.1.4 Authentication solution ....................................................................................... 31

4.2 Professional Services offer ....................................................................................... 37 4.2.1 Integration services ............................................................................................ 37 4.2.2 Professional Services overall project approach ................................................. 37 4.2.3 Project Management Consulting ........................................................................ 39 4.2.4 Procurement ...................................................................................................... 39

5 Reference customers ....................................................................................................... 40

5.1 Main references of PKI Solutions .............................................................................. 40


List of Figures

Figure 1: Authentication method use cases ............................................................................ 13 Figure 2: ExecProtect Overview .............................................................................................. 14 Figure 3: ExecProtect Use Cases ........................................................................................... 15 Figure 4: Windows Credential Provider Logon ........................................................................ 15 Figure 5: Windows logon using NFC ....................................................................................... 16 Figure 6: Multi-factor authentication to SharePoint architecture ............................................. 16 Figure 7 Multi-factor authentication to Office 365 .................................................................... 16 Figure 8: logon with a smart card in NFC mode on Windows 8 tablet .................................... 17 Figure 9 : PIV ID card .............................................................................................................. 17 Figure 10 IDPrime .NET 7510 Display Card ........................................................................... 17 Figure 11: Email encryption with outlook and OWA ................................................................ 18 Figure 12 Gemalto IDBridge K3000 architecture .................................................................... 19 Figure 13: BitLocker drive encryption ...................................................................................... 19 Figure 14 Architecture of strong authentication on DirectAccess ........................................... 19 Figure 15 Smart Card authentication on DirectAccess ........................................................... 20 Figure 16 Gemalto secure browser on Win8 Pro tablet .......................................................... 21 Figure 17 CEPM and OTP scenarios of “failover” mode ......................................................... 22 Figure 18 Protiva IDPrime .NET smart card and badges ........................................................ 24 Figure 19 Converged badge – hybrid card body ..................................................................... 27 Figure 20 vSEC:CMS T-Series Interfaces ............................................................................... 29 Figure 21 vSEC:CMS T-Series State diagram ........................................................................ 29 Figure 22 IDConfirm 1000 interfaces....................................................................................... 31 Figure 25. Operator generated virtual tokens for user ............................................................ 34


Glossary

2FA, 3FA : Two (three) Factor Authentication

AD CS: Active Directory Certificate Services

AD DS: Active Directory Domain Services

CA: Certificate Authority

DA : Direct Access

DRA: Data Recovery Agent (idem KRA)

CAPM: Corporate Administration Password Manager

CEPM: Corporate Emergency Password Manager

CMS: Card Management System

CPM: Corporate Password Manager

CRL: Certificate Revocation List

CSP: Cryptographic Service Provider

FFIEC : Federal Financial Institutions Examination Council

GPO: Group Policy Object

HSM: Hardware Security Module

IIS: Internet Information Services

KRA: Key Recovery Agent

MMC: Microsoft Management Console

NFC: Near Field Communication

NSC: Network Smart Card

OCSP: Online Certificate Status Protocol

OTP: One Time Password

OWA: Outlook Web Access

PKI: Public Key Infrastructure

PIV: Personal Identity Verification card

SC: Smart Card

S/MIME : Secure/Multipurpose Internet Mail Extensions

USB HID : USB Human Interface Device class

VPN : Virtual Private Network


1 Preface

As today’s workforce becomes more and more mobile, the risks associated with taking data outside the protected perimeters of the corporate office are growing. Privileged users such as corporate executives frequently deal with numerous sensitive documents and their laptops are easy targets for theft. If sensitive information like company business plans, intellectual property, client data, financial reports, etc. gets into wrong hands, financial and reputational damages–when reported–are often immeasurable. There are many risks. Data can be leaked if a laptop or mobile device is lost or stolen. Login credentials can be compromised by such tactics as:

Spearphishing—an attack mounted against a high value target, perhaps over a period of several months, blending customized phishing emails

Password-stealing crimeware unique to a specific target

Social engineering. An employee at an external director’s firm could commit insider fraud there, without even touching your network. The simple answer in most cases is information systems are breached because someone’s identity and access privileges are compromised. More likely, several people. It might start with social engineering, spearphishing, trickery or the latest zero-day attack using ZeuS or SpyEye Trojans, but it always finishes the same way—the hackers “own” the system by setting themselves up as super admins, privileged users with full system administration privileges. Once the cyber attackers find a weak link, they advance steadily toward their goal by compromising a series of identity and access privileges. CIOs and CISOs can close the security gap with an identity-centric approach that integrates strong authentication using device-based PKI credentials and one-time password (OTP) authentication integrated with existing identity and access systems. Strong authentication or multi-factor authentication complements access security based on something you know (the username and password or PIN code) with something you have (a certificate carrying personal portable security device) or something you are (a biometric), or both. With ExecProtect, privileged users can be assured their laptops and data are securely protected by the toughest encryption and access credentials. Even if their laptop is lost or stolen, the sensitive information will remain unavailable to all users who fail the multi-factor authentication and authorization. ExecProtect is an end-to-end solution that provides organizations with a comprehensive and scalable offer for security, authentication and administration that aims to facilitate the migration to strong authentication, ensuring high security and convenience of use.

1.1 Who should read this book

This document provides a comprehensive description of Armored Office that provides executives and Privileged Access Users (PAU) with a solution that:

• Protects data on all endpoints

• Secures access from any device

• Enables secure and authenticated exchange of information


ExecProtect enforces a high level of security on the following functionalities: user authentication, remote access, pre-boot authentication, whole disk encryption, email privacy, and digital signature.

This document provides a detailed description of ExecProtect offer to Gemalto’s Partners and distributors:

• The first part of this document provides a rational for ExecProtect offer, strong authentication, digital signature and encryption.

• The next part presents several use cases of the benefits of the ExecProtect components,

• The last section outlines the technical description of ExecProtect by providing a brief overview of each component. An in-depth description can be found on the Gemalto web site and Partner portal.

This document can be used for promoting the ExecProtect solution to prospect or customers. Partners may also find useful information to answer to request for quotes or call for tenders or to complement offer descriptions to their customers.

This document - as a whole - is not intended to be distributed or forwarded to Customers without the prior consent and approval of Gemalto.

Contact Us

If you need more information that is not found in this manual or if you have any questions, please contact your Gemalto support representative or send an email to [email protected]

1.2 Executive overview

1.2.1 Gemalto presentation

Resulting from the merger in 2006 of Gemplus and Axalto, Gemalto is the world leader in smart card based solutions for Telecommunications, Banking, Identity and Network Security. Gemalto provides complete solutions for securing data and transactions including highly secure portable computing devices in the form of smart cards and other form factors as well

mailto:[email protected]


as software and back end components to enable a complete chain of trust for protecting data using encryption and digital signatures. Gemalto's experience in the field:

Customers

• We produced and securely personalized more than 1.6 billion devices in 2012.

• Our e-passports are supplied to countries with some 200 million citizens including border control systems based on PKI solutions.

• More than 500 million people use our banking cards and 300 of the world’s top banks and governments of more than 30 nations trust us with secure personal data.

• We serve some 400 mobile operators worldwide that connect 2 billion subscribers using our solutions

Company

• 4500+ patents and 110 new inventions in 2012

• 35 years experience in designing and producing secure personal devices

• 2.2 billion Euros turnover in 2012

• 10 000+ employees of 106 nationalities based in 43 countries on every continent

• 177 million Euros invested in R&D in 2012

• 1 700 engineers in 13 R&D centers

• 32 personalization facilities worldwide; 21 production sites

• 400 million Euros sold in Value Added Services and Professional Services in 2012 We are the world leader in digital security

• You probably have at least one of our devices in your pocket

• Approximately third of the world's population uses our products today

• World leader in SIM cards and over-the-air server platforms for mobile networks

• World leader in chip payment cards and a leader in contactless payment

• World’s first commercial deployment of SIM-based NFC mobile contactless solution

• World leader in chip-based corporate security solutions

• World leader in e-passports and a leader in e-ID & e-healthcare government projects

• World leader in smart card readers

• World leader in eBanking solutions

• World leader in for Machine-to-Machine (M2M)

1.2.1.1 Gemalto’s qualifications and certifications

1.2.1.1.1 Quality and security

Gemalto places great importance on quality and security, in both our industrial sites and our personalization centers. Implementation and monitoring of the quality standards are guaranteed by the Quality and Security department, which answers directly to the Director of the card division. In March 2002, Gemalto obtained ISO 9001/2000 certification, both overall and for each of its production sites.

Furthermore, these production sites are certified by other professional bodies that mandate their own certification criteria, such as American Express, APACS, Banksys, Diners Club, MasterCard, Visa, GIE Cards Bancaires and GIE Sesam Vitale.


Our products also possess several accreditations in terms of security. We have successfully obtained level 3 validation according to the standard FIPS 140-2, which is the security norm of the United States administration granted by the National Institute of Standards and Technology for federal computer systems, for IDPrime MD.

1.2.1.1.2 Our International coverage

Gemalto’s industrial tooling is characterized by:

• Our international coverage

• Our production capacity in unparalleled volumes

• Our expertise in mastery of the production processes

• The quality of its services on an international level

• Our environmental policy

With 21 production units, 32 personalization centers and 4 support teams distributed over the five continents, Gemalto offers a geographical coverage which allows us to remain close to all our customers—in particular global customers with subsidiaries around the world, such as BNP Paribas. Our expansive reach is key for our customers to be successful in their global projects and expansion.

1.2.2 Gemalto's experience in the field:

Gemalto reinvests a huge part of its revenue back into R&D to ensure constant innovation along products and service businesses. The thin reader that can read data reliably off a computer screen just by placing it in front of the computer monitor, and the

eGoTM technology (www.ego-project.eu) which won a SESAMES Award, is as a direct result of this investment in R&D work within Gemalto. In 2012, Gemalto filed more than100 innovations (patents) in the space of digital security. None of our competitors are able to offer this sort of investment in innovation during recent difficult economic period.

http://www.ego-project.eu/


2 Introduction

2.1 Why multi-factor authentication?

Many organizations use an identification badge for employee physical access to buildings and secure areas and even for payment at the cafeteria or vending machines. Meanwhile, login/passwords are commonly used for logical access to PCs, applications and remote network connections. It’s a fact that passwords are not strong security. They’re usually weak, easy-to-remember words or phrases that can be easily hacked or guessed. In addition to being a weak security solution, username and password usage results in help desk costs of more than $150 per employee, per year. Other disadvantages include:

• Fragmented security systems

• Increased risk of network intrusion and data breaches

• Additional IT resources and excessive cost for password support

• Inability to comply with regulations and mandates that require strong authentication of business application users

• Economic globalization also increases employee travel, business related digital communication and online business, requiring a higher level of security for these interactions

Several high-profile breaches in 2012 caused financial and reputational damage.

• A massive data breach at Global Payments affected more than 1.5 million Visa and Mastercard credit and debit card owners—cost $84M

• Popular social media site LinkedIn was hacked and 6.46 million user passwords were stolen—cost $1M, and another $2-3 M in security upgrades

• Yahoo was breached and exposed 450,000 user logins and passwords

These and many other headlines—affecting such well-known brands as Sony, Epsilon, and Citibank—have collectively served as an industry wake-up call regarding the changing security threat landscape. Increasingly, attacks are highly targeted to specific organizations, based on intelligence-gathering about systems, business processes and individuals, executed across multiple vectors in a manner which is designed to evade detection. In this context many enterprises across all industries are actively re-evaluating their critical security controls, including stronger user authentication. Weaknesses of passwords For years, a password that was at least eight characters long and included mixed-case letters, at least one number, and one non-alphanumeric symbol was considered relatively strong. Although not perfectly secure, these types of passwords were considered good enough for even relatively high-value transactions such as banking and e-commerce. However, a number of factors, related to human behavior and changes in technology, have combined to render the "strong" password vulnerable. First, humans struggle to remember more than seven numbers in their short-term memory. Over a longer time span, the average person can remember only five. Adding letters, cases, and odd symbols to the mix makes remembering multiple characters even more challenging. As a result, people use a variety of tricks to help remember passwords. For example, users often create passwords that reference words and names in their language and experience. Users typically put the upper case symbol at the beginning of the password and place the


numbers at the end of the password, repeating the numbers or putting them in ascending order. Although a keyboard has 32 different symbols, humans generally only use half-a-dozen in passwords because they have trouble distinguishing between many of them. These tricks and tendencies combine to make passwords less random, and therefore weaker. Non-random passwords allow hackers to create a file, or “dictionary”. The bigger problem is password re-use. The average user has 26 password-protected accounts, but only five different passwords across those accounts. Because of password re-use, a security breach on a less-secure gaming or social networking site can expose the password that protects a bank account. This is exactly what happened in a series of breaches during the last few years, and there are now websites where tens of millions of actual passwords can be accessed. There have also been evolutions in the hardware used to crack passwords. Dictionary and behavior-based attacks are elegant, but “brute force” attack can also succeed. A brute force attack simply applies each of the 6.1 quadrillion combinations for an eight-character password until one works. A dedicated password-cracking machine employing readily available virtualization software and high-powered graphics processing units can crack any eight-character password in about 5.5 hours. The cost of such a machine was about $30,000 in 2012, but hackers don’t even need such powerful machines. Crowd-hacking lets hackers distribute the task over thousands of relatively slow machines, each attacking a different part of the puzzle, to crack a password much faster than any single machine.

Recommendations and laws On June 28, 2011 the agencies of the Federal Financial Institutions Examination Council (FFIEC) issued a supplement to its earlier guidance on Authentication in an Internet Banking Environment, which was issued in October 2005. The self-stated purpose of the supplement is to "reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment." In response to the US Presidential Directive HSPD 12, the Computer Security Division of the National Institute of Standards and Technology (NIST) initiated a new program to improve the identification and authentication of US Federal employees and contractors to access Federal facilities and information systems. As a result, NIST developed the standard "Personal Identity Verification (PIV) of Federal Employees and Contractors," published as Federal Information Processing Standards (FIPS) Publication 201. The US Secretary of Commerce approved this standard and it was issued on February 25, 2005. Recognizing this need, the US Federal Chief Information Officers Council (CIO) issued the Personal Identity Verification Interoperability for Non-Federal Issuers.

2.2 Multi-factor authentication solutions

Gemalto Solution As a leader in smart card solutions and implementation for enterprises, Gemalto offers a comprehensive solution called ExecProtect that combines strong authentication for access, secure exchange of information and data loss protection with a physical access badge that is compliant with most standards.

ExecProtect offers a wide portfolio of multi-factor technologies so customers can find the right solution that best meets their needs based on security requirements, deployment environment, company size and exposure to sensitive information.


OTP authentication: OTP authentication (something you have) is associated with a traditional (static) login password to provide two-factor authentication. Gemalto’s OTP implementation is based on the following principles:

• Time-based OTP token: Inside the token is an accurate clock that has been synchronized with the clock of the authentication server. The validity of the password algorithm is based on the current time in addition to a secret key (shared with the server). This provides additional security.

• Event-based OTP (or mathematical algorithm): This method is principally used by Gemalto OTP card applets. Each new OTP is created from an incrementing counter value, a secret key (shared with the server), and the token ID that through The OATH algorithm..

PKI token: PKI token stores an encrypted digital key issued from the PKI provider along with certificate and other relevant information. The token performs the digital calculation and provides physical protection and algorithm countermeasures that are resistant to known attacks—power attacks, channel attacks and brute force attacks—and uses advanced cryptographic algorithms such as RSA 2048, DSA or Eliptic curves (ECC). Today's cryptographic tokens generate key pairs on board the device to avoid the risk of having more than one copy of the private key. They are used for generating digital signatures, and for decryption of encrypted information (encrypted files or partition, encrypted emails, etc.). To further increase security, PKI authentication can be combined with data protection (encryption) and secure data exchange (secure emails, secure file transfer). Conversely to PKI Token, “PKI software” keys are stored on laptops, tablets or smartphones. Even when protected by a key phrase, a pass phrase, or any software encryption mechanism, “PKI software” keys are target for fraud, tempering and can be compromised by malware, phishing, viruses etc. Gemalto ExecProtect solution does not rely on “PKI software” keys and certificate. Instead, key pairs are generated and kept in secure environment such as PKI tokens, PKI smartcards, HSM etc. PKI smart cards: These physical authentication devices improve on the concept of a password by requiring users to actually have their smart card device with them to access the system, in addition to knowing the PIN, which provides access to the smart card. Smart cards have three key properties that help maintain their security:

Non-exportability: Information stored on the card, such as the user’s private keys, cannot be extracted from the device and used in another medium.

Isolated cryptography: Any cryptographic operations related to the card (such as secure encryption and decryption of data, another feature of smart cards) actually happen in a crypto processor on the card, so malicious software on the host computer cannot observe the transactions.

Anti-hammering:To prevent brute-force access to the card, a set number of consecutive unsuccessful PIN entry attempts will cause the card to block itself until administrative action is taken.

Biometrics authentication: PKI token authentication can also be combined with biometric verification providing superior two-or three-factor authentication. Biometrics authentication includes fingerprints, iris scan, facial recognition etc.


The following table summarizes the different use-cases and functionalities of Authentication methods.

Authentication Method

Authentication factor

Data protection -Secure data exchange

Logical Access Physical Access Laptop /

Desktop Mobile / Tablets

Password or PIN What I know (PIN)

OTP Token What I have

PKI Credential What I have

(W8Pro)

(Badge)

Biometrics What I am

(W8Pro)

Figure 1: Authentication method use cases


3 Overview of ExecProtect

3.1 ExecProtect Offer

Cards &Tokens•ID Prime .NET 51x , .Net Bio 550x•ID Prime MD 3810, MD 810

•ID Prime PIV

•ID Prove OTP (App, Display)

MiddeWare•ID Go 500(.Net) & 5500(.Net Bio)•ID Go 800 (MD & .Net)

Administration•Card Mgt System (CMS):

•IDAdmin200 (Vsec CMS:T-Series )

• Integration Microsof t FIM,

• Integration Intercede MyID,

OpenTrust,..

• Corporate Password Manager : •CEPM: Corp Emergency Password

•CAPM: Corp Administration Password

• Enrollment Manager (project mode)

Su

pp

ort

To

ols

•Tra

inin

g / C

om

mis

sionin

g•T

echno P

art

nerS

hip

OTP Server•IDConfirm 1000

Inte

gra

tio

n

Provided by GTO

Provided by Channel Partners

PKI / CA•Integration Microsof t AD CS, Keynectis,..

Su

pp

ort

New Feature

Readers•ID Bridge CT series•ID Bridge CL series

•ID Bridge K series (K3000)

Secure Credentials

& Interface devicesIdentity & Credential

Management

AuthenticationS

ec

ure

Ac

ce

s•I

nte

gra

tion

with

UA

G, I

BM

Security

Access

Manager

(IS

AM

) , e

SS

O(E

vid

ian),

etc

..

Figure 2: ExecProtect Overview

Gemalto ExecProtect is a comprehensive solution that enables multi-factor authentication deployment projects involving PKI tokens, readers and middleware, but also all associated sub-systems such as card management systems, corporate password manager, service bureau, PKI, OTP server. ExecProtect relies on a strong ecosystem developed by Gemalto and its partners and that is backed-up by the proven expertise of the Gemalto Professional Services team to provide integration and support. In the past, smart badge deployment projects have often been regarded as complex and difficult to launch smoothly, Gemalto ExecProtect aims to provide an end-to-end solution that covers all the phases from migration to multi-factor authentication and ensures a seamless project execution. This encompasses the following phases:

Enrollment

Credential issuance or provisioning

Development and integration

Deployment and training

Support and maintenance.


3.2 Functional Description / Use cases

Secure Identity Logon

Secure Remote Access

Data Protection: Whole Disk, File or Folders encryption

Email Encryption / Digital signature

Applications

Scenarios

On-Line / Off-Line Modes

Lost / Stolen / Forgotten Credential

Figure 3: ExecProtect Use Cases

3.2.1 Authentication

Gemalto ExecProtect solution provides multi-factor authentication methods for logical access control based on Windows logon, application or Web application logon

PKI credential-based Authentication o 2 factor authentication (2FA)

PKI credential multi-factor authentication with something you know (the PIN Code) with something you have (the PKI token, SmartCard,..)

o 3 factor authentication (3FA) PKI credential multi-factor authentication with something you know (the PIN code) with something you have (the PKI token, smart card) and something you are (bio fingerprint, iris scan, facial recognition)

OTP authentication OTPs are a form of multi-factor authentication, which complements access security based on something you know (the password) with something you have (OTP token, OTP mobile application, OTP SMS message etc.)

3.2.1.1 Windows logon using Gemalto IDPrime PKI credential with PIN or Biometric fingerprint

In this use case, Windows logon is configured by inserting the PKI credential and entering either a PIN (Using IDPrime .NET or MD) or scanning your finger (IDPrime .NET Bio cards). A specific security policy can also be enforced to request PIN and fingerprint matching (3FA).

Figure 4: Windows Credential Provider Logon

On appropriate NFC devices (laptop, tablets or NFC external readers), the smart card logon can be performed by “tapping” IDPrime MD to the NFC reader. The


process of reading is extremely fast and the user is then prompted to enter the PIN.

Figure 5: Windows logon using NFC

3.2.1.2 Authentication to SharePoint using IDPrime MD or IDPrime .NET with PIN or/and biometric fingerprint

Forefront Unified Access Gateway (UAG) provides remote client endpoints with access to corporate applications, networks, and internal resources via a Web portal or site. Forefront UAG product documentation is organized into content categories.

In this use case, Microsoft Forefront UAG will become an SSL gateway with strong authentication for protecting access to Microsoft SharePoint. UAG will enable SSO (single sign-on) to improve user experience.

The user is able to access SharePoint services with their PKI Credential entering a PIN code or using biometric feature.

Active Directory

user1

SharePoint

UAG

Figure 6: Multi-factor authentication to SharePoint architecture

3.2.1.3 Implementing strong authentication when accessing the Office 365 Web Interface

In this use-case, the user is able to authenticate to Office 365 portal using PKI credential authentication. This only requires a modification of the ADFS system configuration present in the Active Directory domain to change the behavior and prompt the user for introducing the smart card and PIN (or/and Biometrics).

Figure 7 Multi-factor authentication to Office 365

All of the above authentication use cases can be experienced on a Win8 Pro on tablet using PKI credential logon such as a smart card in contact or in NFC mode or a token in USB connection.


Figure 8: logon with a smart card in NFC mode on Windows 8 tablet

3.2.1.4 Converged badge for physical and logical access control

The Gemalto PKI badge enables to combine logical authentication with physical authentication compliant with legacy proximity readers such as HID Prox technology, MIFARE or DESFIRE. The benefits of the converged badge are:

• Enhances protection for access to network connections, applications, data and communications

• Provides a platform to expand security policies with pre-boot authentication, digital signature, file encryption and other PKI services

• Reduces costs and resources needed for password support

• Improves productivity and convenience with secure access to corporate assets for employees and partners outside of the internal security perimeter

• Helps comply with regulations and standards mandating strong authentication.

As an example, IDPrime PIV smart cards feature a dual interface for use with contact and contactless smart card readers, a necessary component for PIV compatibility. They can be used with existing standalone and PC-based smart card readers. The tri-interface versions can be used with legacy proximity readers (based on HID Prox technology) that had been frequently used within government agencies in the past.

Figure 9 : PIV ID card

3.2.1.5 Migration path from OTP Authentication to PKI token authentication

IDPrime .NET 7510 Display Card combines in a credit card format, an OTP token device that provides a simple solution for secure remote access with strong authentication with a PKI digital key and certificate embedded in a Gemalto .NET card module. When the button is pressed, the card displays an OTP value, which is then typed by the user on his PC keyboard. On the remote application side, the OTP number is checked using the IDConfirm 1000 server. No other external connection, client software or specific PIN is required. The.NET card offers the possibility of smart card logon, data protection and signature.

Figure 10 IDPrime .NET 7510 Display Card

This form factor offers a perfect combination of OTP authentication (Windows Logon, authentication to servers etc.) with PKI encryption that can be used in data protection, email encryption, document signature etc., within one device. This solution can also be used by organizations that plan to replace OTP tokens with all-in-one devices or need a migration to PKI deployment.

3.2.2 Data protection

Email encryption is a recommended additional security for all communications between executives and board members. By using certificate-based credential security, executives can choose to encrypt their email containing sensitive information. A security breach of an executive’s laptop may occur at a border checkpoint when traveling internationally, if their laptop gets lost or stolen, or in case of Trojan or other attacks on networks or endpoints.


These scenarios represent a significant threat for company and corporation that can be prevented using Protiva ExecProtect.

3.2.2.1 Email encryption

In Outlook, users need to go to “Options” tab to reach the options of “Sign” and “Encrypt”. In OWA, an S/MIME control plugin shall be installed. It is not possible to send an encrypted email to a user that does not have a certificate:

• Within the organization (same domain), the recipient is required to enroll a certificate in the Active Directory (AD) prior to exchanging encrypted emails.

• Outside the organization, recipient and sender shall first exchange their signatures (via signed emails) to register their certificates prior to exchanging encrypted information.

Figure 11: Email encryption with outlook and OWA

3.2.2.2 Disk or data encryption

An end-point encryption tool such as BitLocker prevents unauthorized data disclosure by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. Two possibilities of usage:

• When used for hard disk encryption, BitLocker requires pre-boot authentication. This can be configured to enforce the use of PKI credentials (with PIN and /or biometric authentication).

• When used for partition encryption, BitLocker can encrypt USB drive (such as K3000 public partition). It is recommended however that the recovery key is saved on a secured location (such as K3000 private partition).

ID Bridge K3000 is thus an essential companion of the PKI credential (badge or smart card) for storing the backup recovery key in its encrypted partition (encrypted by hardware controller). The backup recovery key is a plain text key that is used to access the encrypted data in case the PKI credential is lost or stolen. It is highly sensitive information that must be protected from unauthorized access.


Figure 12 Gemalto IDBridge K3000 architecture

Figure 13: BitLocker drive encryption

The above listed data protection use-cases can also be performed on a Win8 Pro device such as a tablet with PKI Credential as smart card in contact or in NFC mode or a token with USB connection.

3.2.3 Secure channel

3.2.3.1 Integration with Microsoft DirectAccess

In this use case, we carry out a configuration of DirectAccess to use smart card authentication for the user tunnel. DirectAccess will use two tunnels:

• The first tunnel (“infra tunnel”) is dedicated for authentication.

• The second tunnel (“user tunnel”) is dedicated to the application that will use the smart card authentication method.

Active Directory

user1

user2

Exchange

DirectAccess

User Tunnel

Infra Tunnel

Figure 14 Architecture of strong authentication on DirectAccess


As a result, even if user logs-on with usual authentication method (user/password) on his laptop (1FA), the system will prompt the user to insert a smart card when he tries to access a server that is available on the “user tunnel”,

For example, if we try to open Outlook or OWA on this Windows 8 client, we have:

Figure 15 Smart Card authentication on DirectAccess

3.2.3.2 Integration with other VPNs

Integration with CheckPoint EndPoint Security Access VPN: The Check Point Endpoint Remote Access VPN software provides users with secure, seamless access to corporate networks and resources when traveling or working remotely. Privacy and integrity of sensitive information is ensured through multi-factor authentication, endpoint system compliance scanning and encryption of all transmitted data CheckPoint Endpoint security VPN.

3.2.4 Signature

Digital IDs help validate your identity, and they can be used to sign important documents electronically. Document signature from Microsoft Office or Adobe Writer

Microsoft Office or Adobe Writer can be used for signing documents digital IDs using use advanced algorithms --like the elliptic curve public key algorithm – (ECC) (supported by Windows Vista). Since Office 2010, it’s now possible to use XAdES. Document signature can be performed in 3 different ways:

• Signature certificate provided from a public certificate authority.

• Signature certificate provided by a private public key infrastructure such as Microsoft AD CS (Certificate Services). For this scenario, digital certificates will be stored in a smart card.

• Signature of document without a certificate authority

3.2.5 Secure browsing

The browser is the central application for accessing on-line services through Web pages and performing eBanking and eCommerce operations. It is the security processor for performing sensitive cryptographic operations such as enabling SSL connections and it is the repository for storing user credentials such as private keys and certificates and enabling trust chains between certificates. The browser also impacts the end-user’s privacy with bookmarks and navigation history. As a consequence, the browser is the weak security point of on-line services and it has become now the main target of hackers. Currently available on “project base” (i.e: upon specific requirements and specific quote), Gemalto Armored Browser combats increasingly complex cyber threats by providing optimal security. It is modular and flexible and it can integrate particular requirements (e.g. PKI). It is deployed as an application within Gemalto IDBridge K3000. Key Benefits are:

Zero footprint using USB HID Mode


Includes up to 3 factors of authentication

Includes system authentication of designated sites. Protects against the most advanced malware threats

Write protection of key elements,

Ability to update/upgrade solution,

Embedded key logging protection,

Certificate CRL/OCSP support Since Mobile devices are particularly exposed to attacks, Gemalto Secure Browser on IDBridge K3000 provides additional security for tablets running Win8 Pro. With K3000 in USB HID mode, the installation and execution of the browser application requires a “zero footprint”, and the integrity of the confidential data is guaranteed as the application executes in its “sandbox”.

When a user double-clicks on the desktop icon or runs the ID Bridge K3000 USB it automatically loads the customized browser and authenticates the designated site— while the server authenticates the user (and the device) by checking the client-side certificate and hardware ID. The user then simply enters the third factor of authentication (username/password/PIN) which is automatically protected from spyware by patented anti-key-logging technology.

Figure 16 Gemalto secure browser on Win8 Pro tablet

3.2.6 Failover mode

Any time an executive or employee travels or works outside the office, they run the risk of losing their credential. Sometimes, the badge may be forgotten in a hotel room, in a public location or a boarding lounge of an airport. This creates a major concern to ensure the executive will still be able to use his laptop or tablet, logon and access his personal information and resources (encrypted email, encrypted files or folder), and be able to connect to corporate network or to exchange with his colleagues and peers with the same level of security in the absence of his credential. Gemalto ExecProtect “failover” mode addresses this use-case by providing adequate solutions that meet the requirements of organizations of different sizes. It is operational in on-line and off-line mode providing the user with a continuity of service, easy to use and user-friendly solution that would fit with most situations that can be encountered when the executive is in a remote location, visiting his prospects or customers without possibility of network connection, back in hotel room etc.

3.2.6.1 Smart card logon and CEPM

The Corporate Emergency Password Manager (CEPM) is a software component that manages and generates the user password according to a group policy security. The passwords are computer generated and regularly modified (time based or event based such as upon a successful logon). Depending on the frequency of password updates, it becomes practically impossible for a user to memorize all the passwords. Since the password is computer generated, it uses the


full range of available characters (54 chars) and its length can be configured to render any brute force attack inefficient. In case of a lost or forgotten credential, the executive can contact the IT administrator to obtain the password that will be communicated by different available media such as vocal, phone, SMS etc. In normal configuration, the smart card logon and the user password credentials both coexist and are allowed by the security group policy. But since the login/password is constantly modified and difficult for a human to remember, the smart card logon is therefore “de-facto” enforced and it ensures a multiple-factor authentication. From a practical point of view, user-password will only be used for exceptional cases such as failover mode.

3.2.6.2 Smart card logon and OTP

The OTP logon can also be used as an effective “failover” mode when the credential is lost or forgotten. Gemalto ExecProtect offers several scenarios to generate and use the OTP logon. This solution is operational online. The offline Mode will be available soon. ExecProtect includes an OTP credential provider that associates login/password with OTP to provide a two-factor authentication.

CEPM

Login/Passwd LogonSmartcard Logon

Passwd update

(if online)

PKI enabled Applications

Standard Use(Smart Card logon)

Fallback Case(Smart Card Unavailable)

Network ControlledSmart Card (NCSC)

Secured Connection(SSL)

HSM

SmartCard Logon + CEPM SmartCard Logon + OTP

Id Confirm1000Login/Passwd Logon

Smartcard Logon

PKI enabled Applications

Standard Use(Smart Card logon)

Fallback Case(Smart Card Unavailable)

Network ControlledSmart Card (NCSC)

Secured Connection(SSL)

HSM

Acknowledgement

Figure 17 CEPM and OTP scenarios of “failover” mode

OTP can be supplied in several ways:

• SMS-OTP: The OTP is computed by IDConfirm server. After successful authentications of the user and supervision by the administrator, ID Confirm calculates the OTP and communicates to the user by SMS. Upon reception of the OTP on his mobile, the user may proceed with login authentication on his laptop or tablet by entering his login/password and OTP.

• Mobile OTP – IDProve200: This application installed on the mobile phone and allows users to securely generate an OTP using their mobile phone as a token. This solution is a combination of security and convenience of OTP generated on a mobile device

• Token – OTP (Display Card IDProve 700 – Token IDProve 100) o IDProve 700 Display Card is a credit card format OTP

token device that provides a simple solution for secure remote access with strong authentication

o IDProve 100 is an unconnected OTP device that provides a simple solution for secure remote access with strong authentication


4 Detailed Offer

4.1 Product description

4.1.1 Cards and tokens

Most organizations use an identification badge for employee physical access to buildings and secure areas and sometimes for payment at the cafeteria or vending machines. Gemalto provides strong authentication solutions based on an extensive portfolio of products that combine logical access control with physical access control with smart cards for corporate badges, OTP tokens and associated server software, PKI middleware and card management systems. Additionally, Gemalto is a leader in smart card personalization and offers services for enterprise badge personalization to enterprises around the world. Benefits of the converged badge are:

• Enhances protection for access to network connections, applications, data and communications

• Provides a platform to expand security policies with pre-boot authentication, digital signature, file encryption and other PKI services

• Reduces costs and resources needed for password support

• Improves productivity and convenience with secure access to corporate assets for employees and partners outside of the internal security perimeter

• Helps comply with regulations and standards mandating strong authentication.

4.1.1.1 IDPrime .NET

IDPrime .NET cards put state of the art technology to the service of organizations committed to take their IT IdA infrastructure to the next level. IDPrime .NET comes equipped with support for two different 2FA technologies: OTP and PKI, plus mini driver architecture meaning no middleware to deploy, maintain and support for all applications that support base CSP With Gemalto .NET technology, you benefit from unparalleled level of integration with Microsoft's platforms and solutions: Native support by all Windows OS from XP to Windows 8 and their associated server versions. IDPrime .NET cards are also fully compatible with Forefront Edge, Active Directory Domain Services and Certificate Services and can be supported by most card management systems such as Microsoft's FIM - ILM CMS, Versatile , etc. With Gemalto .NET implementation, encryption and digital signature services become easier than ever. The proposed solution is based on the .NET enabling a wide range of services and solutions such as:

VPN access


Strong authentication on Web applications

E-mail, files and directories encryption,

Smart card log-on on windows session,

Electronic signature,

OTP generation Embedded on contactless card bodies, the .NET card can be used for physical access and contactless applications:

Canteen payment, time attendance & control

Access control, buildings, parking garages, etc.,

Figure 18 Protiva IDPrime .NET smart card and badges

4.1.1.1.1 Key Benefits

Unparalleled Integration with Microsoft Identity and Access Ecosystem

Support for certificate-based and one-time password based strong authentication

Compliance with Microsoft Minidriver specifications version 7

Support for Windows, Linux & Mac operating systems

1st ever .NET Framework implementation for smart cards

Strong smart card security

Smart card integration with Web services

Large enterprise device administration through OpenTrust SCM, InterCede MyID or Microsoft's ForeFront Identity Manager, IDAdmin 200

4.1.1.1.2 .NET smart card security

The security model of the .NET smart card falls into three categories: User Security—IDPrime .NET smart card is designed to be able to provide secure, interoperable storage space. Following Web security standards and access controls, the smart card can serve the user data based on the rules for that user. Application Security—Applications deployed on the .NET smart card are always signed assemblies. The public-key token of the signed assemblies is used to grant or deny privileges to a given application. For example, a library assembly installed on the card might restrict unknown assemblies from using its API.

http://gemapp.gemalto.com:81/products/dotnet_card/microsoft_integration.html

http://www.microsoft.com/whdc/device/input/smartcard/sc-minidriver.mspx

http://gemapp.gemalto.com:81/products/dotnet_card/dotnet_framework.html

http://gemapp.gemalto.com:81/products/dotnet_card/dotnet_security.html


Data Security—Data for IDPrime .NET applications can be stored either internally to the application or in the .NET file system. Applications using the file system can be assured that file-based data is secured by access control lists associated with the public-key tokens of on-card assemblies

4.1.1.2 IDPrime .NET Bio

4.1.1.2.1 Functional description

IDPrime .NET Bio is an innovative software solution that provides fingerprint biometric support for Gemalto .NET smart cards integrated with Microsoft Windows platforms (since Windows XP). IDPrime .NET Bio enables fingerprint match-on-card user authentication as an alternative or complement to smart card PIN verification. This in turn gives access to the digital certificates on the card that can then be used for logon, digital signature, file encryption, secure VPN access among other services. This solution provides a secure two or three factor authentication. It provides additional convenience to the users, it is easy to deploy and to manage, and is fully compatible with the smart card security components available in Windows Operating Systems. It is also compatible, with the vast majority of fingerprint sensors available in the market.

4.1.1.2.2 Features:

• No compromise on security : The .NET cards have multiple hardware and software countermeasures against various attacks

• Fingerprint storage and fingerprint verification performed on-card (up to 10 fingerprint templates)

• Compatible with standard fingerprint sensors representing 90% of the market

• Four different modes for card authentication: PIN only, fingerprint only, PIN or fingerprint, PIN and fingerprint

• Integrated with Microsoft Operating Systems, Microsoft applications and 3rd party applications that support Microsoft's Windows Smart Card Framework (and Windows Biometric Framework for the Windows 7 version)

• OTP option: IDPrime .NET can have an optional onboard OATH OTP applet, offering a very flexible authentication service, combining both PKI and OTP.

4.1.1.2.3 Benefits:

Security: Optional three-factor authentication (token, PIN and fingerprint)

Security: Biometric credentials securely stored on smart card. Not susceptible to service outages and man-in-the-middle attacks

Convenience: Roaming (user can use fingerprints and certificates stored on the card to authenticate on any computer)

Convenience: Fingerprints used instead of the smart card PIN – Easier to use, no forgotten PIN issues (improved user acceptance and adoption)

Privacy: Match performed on the card (biometric credentials never leave the card)

Non repudiation: User cannot deny having operated the application or the transaction

Compliancy: Certain countries have regulations preventing storage of biometric data in central repositories.

Technology: Maturity, accuracy and performance

Cost-savings: Eliminates expensive and complex password administration.


4.1.1.3 IDPrime MD

4.1.1.3.1 Presentation

IDPrime MD smart cards are designed for public-key based applications, and come with a minidriver that offers a perfect integration with native support from the Microsoft environments, from Windows XP to Windows 8 (without any additional middleware). IDPrime MD smart cards offer all the necessary services (with both RSA and elliptic curve algorithms) to secure an IT security and ID access infrastructure. Their PKCS#11 libraries extend the compatibility of these smart cards to any type of applications, and any environment (Windows, MAC, Linux) that may be in used in an IT security solution. ID Prime MD can be provided in two contact interface capabilities:

• The IDPrime MD 3810 is a dual-interface smart card, allowing communication either via a contact interface or via a contactless ISO14443 interface, also compatible with the NFC standard already widely used by smartphones and tablets.

• The IDPrime MD 830 is a contact interface smart card, which will be FIPS 140-2 Level 2 certified (on-going).

4.1.1.3.2 Additional features

• No compromise on security: As reflected by the FIPS 140-2 Level 2 certification (on-

going) for IDPrime MD 830 of both the operating system and the PKI applet, the

IDPrime MD smart cards implement the most advanced security countermeasures for

enforcing protection of all sensitive data and functions in the card.

• Fingerprint storage and fingerprint verification performed on-card (up to 10

fingerprint templates) / compatible with standard fingerprint sensors representing 90%

of the market

• OTP option: IDPrime MD cards are multi-application smart cards, and can have

onboard the optional OATH OTP applet, offering a very flexible authentication

service, combining both PKI and OTP.

• MPCOS option: IDPrime MD cards are multi-application smart cards, and can have

onboard the optional MPCOS applet, which offers both e-purse and data

management services.

• Cryptographic algorithms: Symmetric (3DES, AES up to 256bits), Hash (up to SHA

512), PKI (RSA up to 2048 , ECC up to 521bits, on-board key generation)

• PIN : on-board PIN policy, multi-PIN support,

• Communication: MIFARE Classic Emulation, NFC

4.1.1.4 IDPrime PIV

The IDPrime PIV smart card is for government employees, contractors, first responders, enterprises and other organizations requiring compliance with the United States Government specification Federal Information Processing Standard (FIPS) 201, Personal Identification Verification. The IDPrime PIV Card v2.0 is the latest in the Gemalto product line to support this standard. IDPrime PIV consists of the PIV card application (applet) and Gemalto’s IDCore family of Java cards. The Protiva PIV applet implements the card-edge APIs and data constructs specified by the FIPS 201 standard. The IDCore card platform provides the underlying card operating environment, security architecture, and cryptographic capabilities. The resulting line of secure and powerful IDPrime PIV cards provides the advanced features needed for employees to authenticate into physical and logical security systems that are interoperable with the FIPS 201 standard.


4.1.1.4.1 Additional features

• No compromise on security: The TOP Java Cards have multiple hardware and software countermeasures against various attacks

• All optional and mandatory PIV data objects

• Flexible data model to create PIV data containers with their own access control rules

• Cryptographic algorithms: Symmetric (3DES, AES up to 256bits), Hash (up to SHA 512), PKI (RSA up to 2048 , ECC up to 521bits, On-board key generation)

• PIN: On-Board PIN Policy, Customizable PIN and Admin Key value, length, diversification and retry counter

• Communication: MIFARE Classic Emulation, Contactless interfaces: ISO 14443 type A or type B, T=CL up to 848 Kbps

• OTP

4.1.1.5 Integration of IDPrime onto contactless card body for access control

4.1.1.5.1 Hybrid card body applications

Hybrid card bodies are contactless options compliant with any Gemalto smart card (Protiva IDPrime.NET, Protiva IDPrime MD, IAS, PIV). Hybrids are ideal for building an application based on a contact/contactless badge. With this option, the same smart card embeds both a PKI contact application, ensuring logical access control, and a contactless application, ensuring physical access control. Hybrid card body options include Mifare, DESFIRE card bodies and HID card bodies. Other types of card bodies can also be envisaged (MOQ: 1000)

4.1.1.5.2 Hybrid card body benefits

The Hybrid card body option is the straight forward solution to combine logical access control and physical access control. Future evolutions are also significantly facilitated, since it will be possible to change one component without changing the other.

Figure 19 Converged badge – hybrid card body

4.1.2 Readers

IDBridge products are backed by more than 30 years of security and cryptography research and development, and are reliable, versatile and compliant with relevant standards and certifications for each industry. As the number one supplier of smart card readers in the world, Gemalto’s global manufacturing footprint supports any volume of product or global distribution. The IDBridge portfolio of products includes readers for desktops, secure entry and remote access. This ensures the maximum flexibility for any use case or business environment. IDBridge Connected Readers: Connected to a PC, laptop or thin client, these readers ensure communication between the smart card and network services. This portfolio of products includes readers for desktops, laptops and PIN pads for secure PIN entry. This ensures the maximum flexibility for any use case or business environment. Contactless: These readers are optimum for speed and convenience when authenticating for physical or logical access. By simply waving or tapping a smart card to the reader, users are quickly authenticated and allowed access. Dual Interface: These multi-purpose readers makes it convenient to securely access a variety of applications using both contactless and contact technologies, with one single device. These readers are ideally suited for sectors that require both technologies such as


health care, identity and access control. The IDBridge CL3000 is fully plug-n-play on Windows® OS in both contactless and contact modes, a feature unique to the Gemalto solution.

4.1.3 Administration tools

4.1.3.1 Card management system – Card issuance system

Gemalto has developed a technology partnership with Versatile Security to provide a card management offer (IDAdmin 200) that is fully integrated with ExecProtect and is based on Versatile vSEC:CMS®. With ID Admin 200, organization can easily deploy secure tokens and corporate badges. It offers the following functionalities:

Card issuance : o Biographical information: photo, name, surname etc. o Certificate enrolment: o Personalization (graphical and electrical)

Card life cycle management: o PIN management o Certificate management o Card state management

The new S-Edition of vSEC:CMS has never been so easy to use and to maintain. Main features are:

• Intuitive user interface to improve operational efficiency

• No hidden costs and low total cost of ownership

• The security level is always high, no alternatives

• Large scale capabilities, available from day one

The vSEC:CMS T-Series is available in two different editions: the token edition and on the service edition (S-Edition). The token edition delivers vSEC:CMS on Gemalto’s IDBridge K3000. The vSEC:CMS T-Series stores the application, configuration settings and credentials securely on the token, thereby removing the requirement to invest in expensive server hardware. The S-Edition of the vSEC:CMS T-Series is a client-server based version used in a terminal services environment. The S-Edition is best suited for larger deployments in different physical locations and where several operators are interacting with the smart card management system in parallel. The vSEC:CMS T-Series is fully functional with minidriver-enabled smart cards, which streamlines all aspects of a CMS by connecting to enterprise directories, certificate authorities, physical access systems, and smart card printers. The vSEC:CMS T-Series supports the IDPrime .NET, IDPrime PIV Card and IDPrime MD. 4.1.3.1.1.1 Key Features


Figure 20 vSEC:CMS T-Series Interfaces

The vSEC:CMS has several optional connectors for different purposes. For example it can connect the smart cards to users in a user directory (MS Active Directory or LDAP) and then fetch the photo and the biographical data (name, surname, etc.) that will be used for the personalization of the badge. It can use a Certificate Authority to issue certificates directly onto the smart cards. Note: Future versions of vSEC:CMS will integrate the portrait capture and enhancement The management of smart cards throughout its lifecycle is broken into different processes in the vSEC:CMS T-Series application. The smart card can have a different status, depending on its status in the smart card lifecycle. Some of the statuses are highlighted below:

Figure 21 vSEC:CMS T-Series State diagram

• Register smart card/ unregister smart card: In order to register a smart card, simply attach a new, unregistered smart card to the system and click the Register/unregister button. Select the Perform batch process option if more than one smart card is to be registered at a time, which allows for a streamlined registration flow.

• PIN policy: A registered user smart card with the vSEC:CMS T-Series application can have a PIN policy set to the user smart card.

• Certificates/keys: A registered user smart card can have a digital certificate viewed, removed, deleted, imported or set as the default certificate on the smart card. It is also possible to issue certificates to the user smart card if connected to a CA.


• Update smart card: A registered user smart card with the vSEC:CMS T-Series application can have its administration key updated.

4.1.3.1.1.2 Physical and logical access convergence Within vSEC:CMS, it is also possible to configure several connectors for PAMS (Physical Access Management System) to exchange information and data (either already implemented as EdgeConnector support, or via a plugin interface). 4.1.3.1.1.3 Administration interface vSEC:CMS T-Series S-Edition acts gives to IT administrators the flexibility to centrally deploy applications to users, regardless of their locations. Main features and benefits are listed below:

• Simplifies remote access

• Improves performance and accelerates application deployment

• Reduces costs

• Bolsters security

• Streamlines administration

4.1.3.2 Corporate Emergency Password Manager

Gemalto’s Help Desk Emergency Password (HDEP) solution can be used when a user has lost, forgotten or damaged his/her smart card. The solution consists of updating the user’s domain password with a diversified password that is unknown by the user and can be computed by the helpdesk in case of emergency. In order to enable the user to connect later on the PC (with or without connection to the customer domain network) a logon script will update the Emergency Password on the Active Directory (AD) and publish it in the local Windows credential cache. Each time the Emergency Password will be given to the user by the helpdesk, a value will be changed in AD in order to make the password different each time. This value can be based on a timestamp providing the password with a validity period. The application allows the helpdesk representative to set how many days the password will remain valid. Therefore, the password will be valid until the next logon connected to the customer domain or until the password expires. The only piece of information that is present on the user’s computer is the local credential cache. During the logon, the timestamp based counter in AD is checked and the password is updated in the local credential cache if necessary. The password in Active Directory is set to “never expires” and the user will not be able to change the password.

4.1.3.2.1 Initial Emergency Password setting

At the end of the card personalization process, the card management system requests the CEPM Web Service to compute an Emergency Password, and subsequently sets the user password accordingly in AD. The attribute is to “never expires” and “cannot be changed”.

4.1.3.2.2 Emergency Password computer caching

This step is done using a logon script pushed by the domain users’ group policy. Depending on the Timestamp attribute, the Emergency Password is cached on the local credential cache.


4.1.3.2.3 Corporate Emergency Password retrieval

When a user has lost, forgotten or damaged his smart card he calls the helpdesk agent. The helpdesk agent checks the user identity (using the secret questions provided by the end user) and then computes the Emergency Password to provide to the user. This scenario can be done either connected to the network or out of the office. The Helpdesk agent decides whether the Emergency Password is valid until the next successful logon or during a certain number of days (1 day, 3 days, 5 days, 10 days). The helpdesk agent is also able to force the reset of the password at the next logon in case of synchronization issue. This option will reset the password timestamp and the password value. The next time the user will logon to the network, this new password will be cached in the local credential cache.

4.1.3.2.4 Emergency Password computation

In order to compute a unique one-time Emergency Password that can be retrieved by the helpdesk, the password is generated by a symmetric mechanism using a piece of information known only by the helpdesk, a timestamp and a unique user identifier. To ease the way of spelling the password, the password is divided in 3 (three) blocks of 4 (four) digits. A generated password looks as follows: E920-1BB0-B18A

4.1.4 Authentication solution

4.1.4.1 IDConfirm 1000 authentication server

Figure 22 IDConfirm 1000 interfaces

IDConfirm provides a two-factor authentication process; it consists of the following:

• A Web application that manages the authentication requests and responses, either from direct Web server access or from a RADIUS agent, and provides the graphic user interface (GUI) to manage devices, policies, roles, users, keys, etc.

• A core authentication engine that interacts with the data server, the keystore (either a hardware secure module, or HSM, or a software secure module, or SSM), and the cryptogram-computing modules for OTP authentication.

The IDConfirm uses a data server to access and update information relevant to the authentication process. IDConfirm server is capable of communicating with two types of data


servers: a database server, or an LDAP directory server such as Microsoft Windows Active Directory. Depending on your specific needs, IDConfirm can be configured in either:

Database server only (“DB Only” mode)

A combination of database server and LDAP directory server (“Mixed” Mode)

In mixed mode, IDConfirm is able to access existing user information needed for authentication, such as login ID or password, in a read-only mode from a directory on the LDAP directory server. IDConfirm maintains all additional information needed in a database on the data server such as login name or phone number. IDConfirm supports SMS OTP. A third party SMS Provider must expose a gateway to request SMS.

4.1.4.1.1 Gemalto Strong Authentication

Gemalto Protiva IDConfirm solutions include a full portfolio of products to meet the need for secure access to business resources. It is a modular system that allows businesses to choose the security level they need, from a full end-to-end system to .NET-based smart cards that leverage the card management capabilities in Microsoft Server and Windows OS.

Protiva IDConfirm relies on OATH, the result of collaboration between major actors of the security world. The goal of this common work is to define open standards, reference architecture and to promote inter-operability.

Using Protiva IDConfirm Solutions, Enterprises can deploy strong authentication for a low total cost of ownership. This is realized through packaged and plug and play solutions adaptable to existing networks and AAA servers.

Our wide range of hardware and software solutions embeds smart card technology, mobile phones offering the highest level of security for two-factor authentication. You can choose a smart card, token, Mobile phone usable in a connected or an unconnected environment according to your architectural constraints. Our software solutions are open, scalable and

evaluative.

4.1.4.1.2 Strong Authentication Server

Gemalto’s Protiva IDConfirm server provides the Strong Authentication protection to Enterprises in an easy to deploy, easy to use, authentication platform. IDConfirm server 5.x relies on a flexible architecture allowing addressing various targets from some people to millions users. This flexibility is also used to package solutions dedicated to different market segments as e-banking, enterprises, etc. The product was designed for being easily integrated in our customers’ environment and so taking care of their investments. IDConfirm Solutions gather available components needed to build your answer to strong authentication deployment.

IDConfirm Server

http://gemapp.gemalto.com:81/products/mobile_otp/index.html

http://gemapp.gemalto.com:81/products/mobile_otp/index.html


4.1.4.1.3 Key benefits

A wide range of authentication methods relying on open standards: You are not confined to a proprietary solution. Many 3rd party components exist which are compatible with Gemalto solution via support of the Radius protocol

A wide range of devices with various optional features: Gemalto’s expansive portfolio will help you find a solution that fits your needs regarding form factors, the authentication schemas, the secure storage and access control if needed.

Very powerful Web API for easy integration: IDConfirm provides an extended Web API that enables control of most of the servers features (user provisioning, revocation, authentication, SMS request, etc.) from an external application.

A solution relying on a robust and scalable architecture: the validation server is designed to answer the needs of millions users and devices for e-banking use cases but it can also be installed on a cost effective configuration to respond to the needs of a dozen users.

Gemalto never keeps the customer keys: All devices produced by Gemalto are personalized with random keys that are not kept in Gemalto premises.

4.1.4.2 Emergency OTP - virtual tokens

Lost and forgotten devices use cases illustrate the concept of a virtual token. For example, if a user’s device has been lost, stolen, or forgotten, he is assigned a temporary “virtual” token. This token is virtual because it only exists on the IDConfirm Server (no physical device is given to the user). The only way the user can get the OTP for this virtual device is to call the help desk or access a direct Web self-service portal. The user must know his password and the answers to all security questions to be able to obtain a list of virtual OTPs. To protect the system, some limitations are placed on this authentication method:

A limited number of OTPs can be given to the user per request (X). Using an OTP in the list deactivates the earlier ones.

A limited life period is allowed for the virtual device (Y). The virtual token’s expiration date is calculated by adding Y to the activation date. Both values are defined in the virtual token’s associated policy. A virtual policy must have its device mode set to virtual in the customer care portal.

Also administrators can define the mechanism for delivering virtual OTPs. There are three options:

Display (default)

Email

SMS (like SMS OTP)


Figure 23. Operator generated virtual tokens for user

4.1.4.3 IDProve

4.1.4.3.1 IDProve 100

Gemalto offers IDProve 100 unconnected OTP devices that provides a simple solution for secure remote access with strong authentication

The standard secure exchange of provisioning files is using two different email recipients, the first one will receive the files encrypted in a zip archive, and the second recipient will receive the password of the zip file.

4.1.4.3.2 IDProve 200

Mobile OTP uses an application downloaded to the handset that allows users to securely generate an OTP using their mobile phone as a token. This solution takes advantage of the fact that people usually not without their mobile for very long. With the increasing functionality of smart phones, using the handset as a productivity tool has become common practice. With the Mobile OTP applications, users can always generate an OTP, even if they have limited or no network connectivity.

4.1.4.3.3 Features

The Mobile OTP application combines security and convenience of OTP generated on a mobile device. Gemalto Mobile OTP supports a wide range of mobile handsets operating systems including iPhone, Blackberry, Android, Windows Mobile and other Java phones.


Mobile OTP computation method is based on time-based OTP, which means that mobile phone time is one of the parameters in the OTP computation. This is relevant both for the token, which generates the OTP and the server, which makes the same computation in order to validate the OTP received from the user. Time-based OTP contains the time stamping whereas validity period is a server parameter. Before using mobile OTP, users must register the application. Two steps are necessary to generate an OTP:

• Run the token application

• Enter the PIN code

The generated OTP can be used along with the user’s login name

Some details on PIN Code management:

PIN is not stored on mobile, neither transmitted, nor stored on the server (patented

solution)

PIN Code selected by the user (no need for temporary PIN sent to the user), can be replaced at any time (off-line)

4.1.4.3.4 SMS OTP

SMS OTPs are computed as token OTP but the device is like a virtual token managed by the IDConfirm server. When logging on to the Web portal of a company, VPN SSL client: 1. The user enters his or her user ID and password, and makes sure the mobile phone is

switched on. 2. The user validates the form. If password is correct, he or she receives the OTP as an

SMS message. 3. The user enters this OTP value within the new input field to authenticate to the

application.

4.1.4.4 ID Bridge K3000

This unique zero footprint PKI USB device was designed and built following feedback from customers who deploy PKI solutions in their enterprise and banking environment. ID Bride K3000 is an all-in-one device that can provide the following functionalities:

Signature and encryption (using the embedded smart card)

Secure OTP generation: Using OTP application embedded in the smart card

Secure browser: Zero footprint execution. No data is stored outside the memory of K3000

Data repository: The public partition can be used to store and exchange information like any USB Storage device.


Embedded application: the “read-only” partition may contain several applications that are executed in sandbox environment

Secure storage: Using encrypted private partition or with data stored encrypted in the public partition (such as BitLocker)

4.1.4.4.1 A Zero footprint PKI device

The K3000 is a strong, two-factor authentication device, designed to provide digital signature capabilities in a secure framework. It is made up of several components:

Hardware: It’s a USB device which embeds a smart card (IDProve MD, IDProve .NET or ID Classic), an SD card, and a button on the side.

The button has 2 functions: it slides the USB port interface connection out of the device but it is also an action button that the end-user must physically press to confirm an operation.

Smart card: Several smart cards can be embedded within the K3000 device: IDBridge MD, IDBridge .NET, IDClassic. They are able to store and manage various certificates, as well as other applications.

µSD Card It can be configured to hold several partitions of different sizes (public, private or read-only). The read-only partition contains embedded applications. All data in the µSD card is encrypted to ensure that no one can alter the data within the µSD card. The µSD card data is also remotely updatable when used in conjunction with the Gemalto Token Management System. The access to the µSD is provided through a specific microcontroller that implements dedicated security policies. The part of the memory containing the applications is seen by the user computer system as a read only memory (CD-ROM). Therefore it cannot be affected by malware that could have affected a browser stored on a R/W device like the PC hard disk or a R/W USB memory.

4.1.4.4.2 Future proof

ID Bridge K3000 can be managed remotely, using the Gemalto Token Management System enabling updating of certificates and applications.

For example - by just adding a new URL to ID Bridge K3000 secure browser, new services can be deployed such as e.g. eSigning. Since no new hardware needs to be implemented, this is a cost-efficient way to future-proof your online channels.

4.1.4.4.3 Customizable


ID Bridge K3000 is available in 11 different colors. All are made in high quality, colored aluminium, outlining the unique design of this revolutionizing product.

4.1.4.4.4 Operation and applications

The sliding button:

a) Extend and retract the USB plug present on the device.

b) Act as an “action” button. This means that when a transaction signature is requested by the signing application, the LED on the device will blink orange. The user is prompted to acknowledge the action by physically pressing the action button on the device. This is a very important feature on the device to prevent PC replay attacks that we see becoming more prevalent in the industry.

4.2 Professional Services offer

In addition to products and solutions, Gemalto provides Professional Services to help our customers and consult with our partners to help deploy solutions to end users. Professional Services offer can range from providing consulting to delivering a turn-key solution. Gemalto Professional Services is a skilled team specializing in strong authentication deployment projects involving PKI credential or OTP, as well as associated components such as card management systems, service bureau, PKI as well as application software such as signature or encryption solutions.. Gemalto Professional Services can provide end-to-end solutions comprising best-in-class technologies when it comes to PKI, smart cards and certificate lifecycle management. In case customer-specific developments are needed, such as multi-workstation logon or other bespoke solutions, Gemalto Professional Services is able to either work with partners or launch specific developments to closely fit customer requirements.

4.2.1 Integration services

4.2.2 Professional Services overall project approach

The overall delivery project is managed through the standard Gemalto Delivery Project methodology that involves a dedicated project team and a proven project management approach. The following schema gives an overview of the main steps and milestones of project methodology. This project workflow is adapted according to the different project specificities in order to provide our customers with the best project management and guarantee the best solution delivery.


Design, Specifications: This involves architecture audit, design of detailed functional specifications, architectural design and planning review. During this phase, the solution is comprehensively defined with inputs on the following phases to ensure a smooth migration between phases. Several meetings and workshops (phone calls, video conferences, face-to- face meetings) will be organized by Gemalto. At the end of this phase, the solution requirements specifications and the design of the solution will be approved by the customer. Internal integration, development: In this phase, Gemalto manages the development and customization according to the customer approved specifications. Each component or module is separately integrated and validated within the Gemalto test environment. At the end of this phase, all developments and unit tests are completed. Test plans are delivered by Gemalto and approved by the customer. Internal acceptance: This phase ensures that the delivered project is compliant with the requirements. Tests are performed according to the test plan in Gemalto test environment. Site installation: The solution is installed on the customer test environment and is connected to the different interfaces. The global integration and connection tests are managed or supervised by Gemalto. Site acceptance: This phase is managed together by Gemalto and the customer on the customer’s premises. The tests are comprehensively executed according the test plan. At the end of this phase, the customer validates the conditional acceptance provided that all critical or major errors are cleared. Trial phase: During this period, the customer operates the solution with a limited number of users on the test or pre-production environment. The goal of this phase emphasizes the usage and operation under realistic environmental conditions. At the end of this phase the customer signs the final acceptance provided that all critical, major or minor errors are cleared. This period is also used by Gemalto to manage the handover with the Gemalto support team. Production: After the final acceptance, the system is ready for production. The production phase includes deployment of the complete solution in the real customer environment. The Gemalto support team is now the main interface with the customer. Project management: The project manager is responsible for delivering the project according to specifications and planning. He makes the interface between the customer and the project team and is also in charge of the quality project assurance. He organizes the progress meetings and reports all information to the customer team.


4.2.3 Project Management Consulting

The Customer/Integrator is responsible for integrating the Gemalto components within the full solution. Gemalto scope of work is to provide consulting to help the integration and the configuration of Gemalto components. The package covers:

Requirement specification: Gemalto and its partner/integrator capture customer requirements and define the solution architecture. This document is a top vision of the whole solution including architectural and functional description. It also focuses on the security requirement and the proposed security architecture and solution.

Acceptance test plan: Gemalto and its partner/integrator define an acceptance test plan that describes a list of variables to test and validate.

Integration and configuration: Gemalto and its partner/integrator provide assistance for the integration and configuration in the customer’s production environment of the proposed system.

Full site acceptance test (SAT): Gemalto provides assistance for the validation based on acceptance test plan scenario validated and approved with the customer.

4.2.4 Procurement

Gemalto offers the unique ability to deliver cards, pin mailers, readers/tokens, fulfillment, server platforms, secure data centers for hosted services and support services under one roof. As with every customer we are certain that your project is ambitious in terms of timing and delivery to the end user. But our proven flexibility in resourcing large scale projects which encompass a large number of deliverables, combined with our vast knowledge gained from similar projects, gives you the assurance we have the capabilities to deliver.


5 Reference customers

With more than 30 years of experience in the security industry, Gemalto has significant global customer references. Top brands including Pfizer, Boeing, Microsoft, Barclays, ABN-Amro, Shell, Nissan, Caja Madrid, BNP Paribas and many more, trust Gemalto for their identity and access needs

5.1 Main references of PKI Solutions

Raiffeisen Bank–Bulgaria faced legacy issues with more than 150 applications with numerous passwords to remember for the employees. Gemalto with its partner deployed a two-factor authentication solution with RFID PKI smart card that combines logical with physical access. Over 3,500 smart cards have been deployed and managed by Gemalto ExecProtect Solution that includes CMS.

Through a partner in UK, Gemalto was consulted to provide a strong authentication solution to BSkyB as a replacement of RSA tokens that were being used by up to 4000 workers, primarily because of the cost of renewal of tokens and software licenses. Requirements included PKI-based converged cards that had to work with existing access control & cashless vending systems and also be used for desktop logon, door access, photo ID and other applications. Gemalto and our partner have delivered around 20,000 IDPrime .NET converged cards.

Gemalto IdA Integration and Delivery team is carrying out the full BASF corporate badge CMS integration project. The corporate badge based on Gemalto Access TPC smart cards was deployed in 2006 only for physical access. In 2008, Gemalto provided professional services to enable logical access; card management relies on Intercede MyID CMS.

UK National Health System–United Kingdom: In the biggest IT project in the UK, Gemalto provides medical staff with a secure access to patients' personal data through PKI authentication (more than 1 million users). Gemalto provideded PKI authentication server, smart cards (500ku), readers, card management system and maintenance. This complex environment includes Intercede MyID CMS deployed through a multi-server / multi-tier architecture composed of 2000 issuance stations.


Beckman Coulter–US manufactures innovative products that simplify and automate complex biomedical testing. They have been looking for a more convenient and cost effective method to combine physical and logical access at the company’s Brea, CA headquarters and satellite offices. Several options were evaluated, but Gemalto was selected to provide an all-in-one identity solution based on the Gemalto IDPrime .NET. This solution enables Beckman to combine all the necessary security functions into one convenient form factor meeting both physical and logical security access needs

AXA technology Services–Strong authentication based on PKI Smart Card has been deployed to a broad community of traveling employees and working remotely that need to access to IT systems. The user experience has also been extended by adding support for biometric authentication. The biometric authentication solution has been deployed to several thousand of corporate employees for network logon, digital signature and secure remote access.

Pharmaceutical giant Pfizer moved to strong authentication using PKI badges to enable digital signature as a replacement of overwhelming paper forms and combine in one device (the smart card badge) logical and physical access In less than 18 months, Pfizer had rolled out a smart identity management solution to over 80,000 employees worldwide

SEW-EURODRIVE–is a world leader in drive technology and a pioneer in drive-based automation. Once the company had settled on Windows Vista as their new Desktop OS, and decided to migrate to an employee badge based on smart card technology that interfaces with a VPN solution. The only smart cards that were supported “out of the box” by Windows Vista were Gemalto’s .NET cards. Project implementation was very fast (3 months) considering it was necessary to build a new PKI, ensure co-existence with the previous system during a certain time, and implement new functionalities which were not available with the previous system.

Gemalto and our distributor in Sweden, have fully equipped SYSteam, a leading IT supplier in the Nordic region, with the Gemalto Web-hosted service for issuing and administering strong authentication devices. Gemalto’s innovation enables SYSteam IT administrators to perform day-to-day management operations for .NET devices in a secure and convenient way.


Baker Tilly has more than 1,300 associates and is recognized as the 15th largest certified public accounting and consulting firm in the US. Remote access to information is a must have, and high security is essential for protection of clients’ identities and financial assets. Strong security had to be balanced with convenience for employees. Gemalto’s .NET Dual USB tokens was implemented out by a value added reseller.

Valeo is one of the world’s leading automotive suppliers employing 58,400 people in 27 countries worldwide. Gemalto deployed a strong authentication PKI solution that combines logical and physical access to secure a multi platform corporate portal for employees working remotely or in the office.

SwedBank is a leading Nordic-Baltic banking group with 9.4 million retail customers and 540,000 corporate customers in Sweden and Baltics. Gemalto deployed a turn-key solution for corporate badge that enables secure logon, data protection (disk drive encryption), digital signature and email encryption and remote and physical access.

Corporate Wide deployment of 80K+ users to secure Microsoft’s corporate network with strong authentication using smart cards with .NET technology. Combines logical access with physical access.

Port Huron Hospital was established in Michigan in 1882 provides a full spectrum of healthcare services. Following HIPAA regulations, access to patient information must be secured and the logs for any transactions on a patient’s medical must be recorded. Gemalto deployed a solution to secure and speed-up the access to workstations and applications to access to patient medical records.

Jackson National Life Insurance is an $80 Billion insurance company that wanted to transition from OTP to a more comprehensive PKI based strong authentication. Gemalto deployed .NET smart cards with an OTP application and ID Confirm 1000 server.

Government of Alberta (Canada) outsources to more than 200 registry agencies that access certain government owned systems in order to provide their services to their customers. Gemalto has deployed a strong authentication solution including ID Prime .NET cards.

Stockholm Town has more than 49k employees and was requested to increase security and implement an upgrade path for integration of future digital services. Gemalto deployed a converged badge with ID Prime MD and Mifare emulation for logical and physical access control.


Ministry of Labour and Social Affairs of Czech Republic is a 20,000 employees organization where Civil servants are provided with secure badge to enter their offices, rapidly access the ministry's network, and digitally sign and encrypt communications compliant with legal security requirements. Gemalto has deployed a high security smart badge combining physical and logical access, plus visual authentication (personalization) providing 2Factor Authentication to the Ministry network.

Universitat Politecnica Cataluyna (UPC) of Barcelona, involves 7 universities spread out among 17 different establishments in Barcelona and 42 different departments, comprisinga student population of 35,000. The Access to university facilities has been unified and evoting has been deployed to all university members (administration and students). The student smart Badge has been sponsored by Banco

Date post:	02-Jul-2015
Category:	Technology
Upload:	nis
View:	200 times
Download:	2 times