Une sécurité totale pour protéger les données sensibles des cadres mobiles et des décisionnaires dans les entreprises
Gemalto est au cœur de l’évolution du monde numérique. Chaque jour, des entreprises et des gouvernements du monde entier placent en nous leur confiance pour les aider à offrir à leurs utilisateurs des services où facilité d’usage rime avec sécurité.
Aujourd’hui, avec des collaborateurs de plus en plus mobiles, les risques associés aux données exposées en dehors du périmètre protégé du bureau sont croissants.
Avec ExecProtect, les cadres sont assurés que leurs ordinateurs portables et leurs données sont en sécurité, parfaitement protégés par le cryptage et les identifiants d’accès les plus puissants au monde. Même en cas de vol ou de perte de leur ordinateur portable, les informations sensibles restent inaccessibles au commun des utilisateurs qui ne parviendront pas à déjouer l’authentification et l’autorisation multi-facteurs.
4. ExecProtect Armored Office: Solution Description v1.0
List of Figures
Figure 1: Authentication method use cases ............................................................................ 13
Figure 2: ExecProtect Overview .............................................................................................. 14
Figure 3: ExecProtect Use Cases ........................................................................................... 15
Figure 4: Windows Credential Provider Logon ........................................................................ 15
Figure 5: Windows logon using NFC ....................................................................................... 16
Figure 6: Multi-factor authentication to SharePoint architecture ............................................. 16
Figure 7 Multi-factor authentication to Office 365 .................................................................... 16
Figure 8: logon with a smart card in NFC mode on Windows 8 tablet .................................... 17
Figure 9 : PIV ID card .............................................................................................................. 17
Figure 10 IDPrime .NET 7510 Display Card ........................................................................... 17
Figure 11: Email encryption with outlook and OWA ................................................................ 18
Figure 12 Gemalto IDBridge K3000 architecture .................................................................... 19
Figure 13: BitLocker drive encryption ...................................................................................... 19
Figure 14 Architecture of strong authentication on DirectAccess ........................................... 19
Figure 15 Smart Card authentication on DirectAccess ........................................................... 20
Figure 16 Gemalto secure browser on Win8 Pro tablet .......................................................... 21
Figure 17 CEPM and OTP scenarios of “failover” mode ......................................................... 22
Figure 18 Protiva IDPrime .NET smart card and badges ........................................................ 24
Figure 19 Converged badge – hybrid card body ..................................................................... 27
Figure 20 vSEC:CMS T-Series Interfaces ............................................................................... 29
Figure 21 vSEC:CMS T-Series State diagram ........................................................................ 29
Figure 22 IDConfirm 1000 interfaces....................................................................................... 31
Figure 25. Operator generated virtual tokens for user ............................................................ 34
5. ExecProtect Armored Office: Solution Description v1.0
Glossary
2FA, 3FA : Two (three) Factor Authentication
AD CS: Active Directory Certificate Services
AD DS: Active Directory Domain Services
CA: Certificate Authority
DA : Direct Access
DRA: Data Recovery Agent (idem KRA)
CAPM: Corporate Administration Password Manager
CEPM: Corporate Emergency Password Manager
CMS: Card Management System
CPM: Corporate Password Manager
CRL: Certificate Revocation List
CSP: Cryptographic Service Provider
FFIEC : Federal Financial Institutions Examination Council
GPO: Group Policy Object
HSM: Hardware Security Module
IIS: Internet Information Services
KRA: Key Recovery Agent
MMC: Microsoft Management Console
NFC: Near Field Communication
NSC: Network Smart Card
OCSP: Online Certificate Status Protocol
OTP: One Time Password
OWA: Outlook Web Access
PKI: Public Key Infrastructure
PIV: Personal Identity Verification card
SC: Smart Card
S/MIME : Secure/Multipurpose Internet Mail Extensions
USB HID : USB Human Interface Device class
VPN : Virtual Private Network
6. ExecProtect Armored Office: Solution Description v1.0
1 Preface
As today’s workforce becomes more and more mobile, the risks associated with taking data outside the protected perimeters of the corporate office are growing. Privileged users such as corporate executives frequently deal with numerous sensitive documents and their laptops are easy targets for theft. If sensitive information like company business plans, intellectual property, client data, financial reports, etc. gets into wrong hands, financial and reputational damages–when reported–are often immeasurable.
There are many risks. Data can be leaked if a laptop or mobile device is lost or stolen. Login credentials can be compromised by such tactics as:
Spearphishing—an attack mounted against a high value target, perhaps over a period of several months, blending customized phishing emails
Password-stealing crimeware unique to a specific target
Social engineering.
An employee at an external director’s firm could commit insider fraud there, without even touching your network.
The simple answer in most cases is information systems are breached because someone’s identity and access privileges are compromised. More likely, several people. It might start with social engineering, spearphishing, trickery or the latest zero-day attack using ZeuS or SpyEye Trojans, but it always finishes the same way—the hackers “own” the system by setting themselves up as super admins, privileged users with full system administration privileges. Once the cyber attackers find a weak link, they advance steadily toward their goal by compromising a series of identity and access privileges.
CIOs and CISOs can close the security gap with an identity-centric approach that integrates strong authentication using device-based PKI credentials and one-time password (OTP) authentication integrated with existing identity and access systems. Strong authentication or multi-factor authentication complements access security based on something you know (the username and password or PIN code) with something you have (a certificate carrying personal portable security device) or something you are (a biometric), or both.
With ExecProtect, privileged users can be assured their laptops and data are securely protected by the toughest encryption and access credentials. Even if their laptop is lost or stolen, the sensitive information will remain unavailable to all users who fail the multi-factor authentication and authorization.
ExecProtect is an end-to-end solution that provides organizations with a comprehensive and scalable offer for security, authentication and administration that aims to facilitate the migration to strong authentication, ensuring high security and convenience of use.
1.1 Who should read this book
This document provides a comprehensive description of Armored Office that provides executives and Privileged Access Users (PAU) with a solution that:
• Protects data on all endpoints
• Secures access from any device
• Enables secure and authenticated exchange of information
7. ExecProtect Armored Office: Solution Description v1.0
ExecProtect enforces a high level of security on the following functionalities: user authentication, remote access, pre-boot authentication, whole disk encryption, email privacy, and digital signature.
This document provides a detailed description of ExecProtect offer to Gemalto’s Partners and distributors:
• The first part of this document provides a rational for ExecProtect offer, strong authentication, digital signature and encryption.
• The next part presents several use cases of the benefits of the ExecProtect components,
• The last section outlines the technical description of ExecProtect by providing a brief overview of each component. An in-depth description can be found on the Gemalto web site and Partner portal.
This document can be used for promoting the ExecProtect solution to prospect or customers. Partners may also find useful information to answer to request for quotes or call for tenders or to complement offer descriptions to their customers.
This document - as a whole - is not intended to be distributed or forwarded to Customers without the prior consent and approval of Gemalto.
Contact Us
If you need more information that is not found in this manual or if you have any questions, please contact your Gemalto support representative or send an email to commissioning.support@gemalto.com
1.2 Executive overview
1.2.1 Gemalto presentation
Resulting from the merger in 2006 of Gemplus and Axalto, Gemalto is the world leader in smart card based solutions for Telecommunications, Banking, Identity and Network Security. Gemalto provides complete solutions for securing data and transactions including highly secure portable computing devices in the form of smart cards and other form factors as well
8. ExecProtect Armored Office: Solution Description v1.0
as software and back end components to enable a complete chain of trust for protecting data using encryption and digital signatures.
Gemalto's experience in the field:
Customers
• We produced and securely personalized more than 1.6 billion devices in 2012.
• Our e-passports are supplied to countries with some 200 million citizens including border control systems based on PKI solutions.
• More than 500 million people use our banking cards and 300 of the world’s top banks and governments of more than 30 nations trust us with secure personal data.
• We serve some 400 mobile operators worldwide that connect 2 billion subscribers using our solutions
Company
• 4500+ patents and 110 new inventions in 2012
• 35 years experience in designing and producing secure personal devices
• 2.2 billion Euros turnover in 2012
• 10 000+ employees of 106 nationalities based in 43 countries on every continent
• 177 million Euros invested in R&D in 2012
• 1 700 engineers in 13 R&D centers
• 32 personalization facilities worldwide; 21 production sites
• 400 million Euros sold in Value Added Services and Professional Services in 2012
We are the world leader in digital security
• You probably have at least one of our devices in your pocket
• Approximately third of the world's population uses our products today
• World leader in SIM cards and over-the-air server platforms for mobile networks
• World leader in chip payment cards and a leader in contactless payment
• World’s first commercial deployment of SIM-based NFC mobile contactless solution
• World leader in chip-based corporate security solutions
• World leader in e-passports and a leader in e-ID & e-healthcare government projects
• World leader in smart card readers
• World leader in eBanking solutions
• World leader in for Machine-to-Machine (M2M)
1.2.1.1 Gemalto’s qualifications and certifications
1.2.1.1.1 Quality and security
Gemalto places great importance on quality and security, in both our industrial sites and our personalization centers. Implementation and monitoring of the quality standards are guaranteed by the Quality and Security department, which answers directly to the Director of the card division. In March 2002, Gemalto obtained ISO 9001/2000 certification, both overall and for each of its production sites.
Furthermore, these production sites are certified by other professional bodies that mandate their own certification criteria, such as American Express, APACS, Banksys, Diners Club, MasterCard, Visa, GIE Cards Bancaires and GIE Sesam Vitale.
9. ExecProtect Armored Office: Solution Description v1.0
Our products also possess several accreditations in terms of security. We have successfully obtained level 3 validation according to the standard FIPS 140-2, which is the security norm of the United States administration granted by the National Institute of Standards and Technology for federal computer systems, for IDPrime MD.
1.2.1.1.2 Our International coverage
Gemalto’s industrial tooling is characterized by:
• Our international coverage
• Our production capacity in unparalleled volumes
• Our expertise in mastery of the production processes
• The quality of its services on an international level
• Our environmental policy
With 21 production units, 32 personalization centers and 4 support teams distributed over the five continents, Gemalto offers a geographical coverage which allows us to remain close to all our customers—in particular global customers with subsidiaries around the world, such as BNP Paribas. Our expansive reach is key for our customers to be successful in their global projects and expansion.
1.2.2 Gemalto's experience in the field:
Gemalto reinvests a huge part of its revenue back into R&D to ensure constant innovation along products and service businesses. The thin reader that can read data reliably off a computer screen just by placing it in front of the computer monitor, and the eGoTM technology (www.ego-project.eu) which won a SESAMES Award, is as a direct result of this investment in R&D work within Gemalto. In 2012, Gemalto filed more than100 innovations (patents) in the space of digital security. None of our competitors are able to offer this sort of investment in innovation during recent difficult economic period.
10. ExecProtect Armored Office: Solution Description v1.0
2 Introduction
2.1 Why multi-factor authentication?
Many organizations use an identification badge for employee physical access to buildings and secure areas and even for payment at the cafeteria or vending machines. Meanwhile, login/passwords are commonly used for logical access to PCs, applications and remote network connections. It’s a fact that passwords are not strong security. They’re usually weak, easy-to-remember words or phrases that can be easily hacked or guessed. In addition to being a weak security solution, username and password usage results in help desk costs of more than $150 per employee, per year. Other disadvantages include:
• Fragmented security systems
• Increased risk of network intrusion and data breaches
• Additional IT resources and excessive cost for password support
• Inability to comply with regulations and mandates that require strong authentication of business application users
• Economic globalization also increases employee travel, business related digital communication and online business, requiring a higher level of security for these interactions
Several high-profile breaches in 2012 caused financial and reputational damage. • A massive data breach at Global Payments affected more than 1.5 million Visa and Mastercard credit and debit card owners—cost $84M • Popular social media site LinkedIn was hacked and 6.46 million user passwords were stolen—cost $1M, and another $2-3 M in security upgrades • Yahoo was breached and exposed 450,000 user logins and passwords
These and many other headlines—affecting such well-known brands as Sony, Epsilon, and Citibank—have collectively served as an industry wake-up call regarding the changing security threat landscape. Increasingly, attacks are highly targeted to specific organizations, based on intelligence-gathering about systems, business processes and individuals, executed across multiple vectors in a manner which is designed to evade detection. In this context many enterprises across all industries are actively re-evaluating their critical security controls, including stronger user authentication.
Weaknesses of passwords
For years, a password that was at least eight characters long and included mixed-case letters, at least one number, and one non-alphanumeric symbol was considered relatively strong. Although not perfectly secure, these types of passwords were considered good enough for even relatively high-value transactions such as banking and e-commerce.
However, a number of factors, related to human behavior and changes in technology, have combined to render the "strong" password vulnerable.
First, humans struggle to remember more than seven numbers in their short-term memory. Over a longer time span, the average person can remember only five. Adding letters, cases, and odd symbols to the mix makes remembering multiple characters even more challenging.
As a result, people use a variety of tricks to help remember passwords. For example, users often create passwords that reference words and names in their language and experience. Users typically put the upper case symbol at the beginning of the password and place the
11. ExecProtect Armored Office: Solution Description v1.0
numbers at the end of the password, repeating the numbers or putting them in ascending order. Although a keyboard has 32 different symbols, humans generally only use half-a-dozen in passwords because they have trouble distinguishing between many of them. These tricks and tendencies combine to make passwords less random, and therefore weaker.
Non-random passwords allow hackers to create a file, or “dictionary”. The bigger problem is password re-use. The average user has 26 password-protected accounts, but only five different passwords across those accounts. Because of password re-use, a security breach on a less-secure gaming or social networking site can expose the password that protects a bank account. This is exactly what happened in a series of breaches during the last few years, and there are now websites where tens of millions of actual passwords can be accessed.
There have also been evolutions in the hardware used to crack passwords. Dictionary and behavior-based attacks are elegant, but “brute force” attack can also succeed. A brute force attack simply applies each of the 6.1 quadrillion combinations for an eight-character password until one works. A dedicated password-cracking machine employing readily available virtualization software and high-powered graphics processing units can crack any eight- character password in about 5.5 hours. The cost of such a machine was about $30,000 in 2012, but hackers don’t even need such powerful machines. Crowd-hacking lets hackers distribute the task over thousands of relatively slow machines, each attacking a different part of the puzzle, to crack a password much faster than any single machine.
Recommendations and laws
On June 28, 2011 the agencies of the Federal Financial Institutions Examination Council (FFIEC) issued a supplement to its earlier guidance on Authentication in an Internet Banking Environment, which was issued in October 2005. The self-stated purpose of the supplement is to "reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment."
In response to the US Presidential Directive HSPD 12, the Computer Security Division of the National Institute of Standards and Technology (NIST) initiated a new program to improve the identification and authentication of US Federal employees and contractors to access Federal facilities and information systems. As a result, NIST developed the standard "Personal Identity Verification (PIV) of Federal Employees and Contractors," published as Federal Information Processing Standards (FIPS) Publication 201. The US Secretary of Commerce approved this standard and it was issued on February 25, 2005. Recognizing this need, the US Federal Chief Information Officers Council (CIO) issued the Personal Identity Verification Interoperability for Non-Federal Issuers.
2.2 Multi-factor authentication solutions
Gemalto Solution
As a leader in smart card solutions and implementation for enterprises, Gemalto offers a comprehensive solution called ExecProtect that combines strong authentication for access, secure exchange of information and data loss protection with a physical access badge that is compliant with most standards.
ExecProtect offers a wide portfolio of multi-factor technologies so customers can find the right solution that best meets their needs based on security requirements, deployment environment, company size and exposure to sensitive information.
12. ExecProtect Armored Office: Solution Description v1.0
OTP authentication: OTP authentication (something you have) is associated with a traditional (static) login password to provide two-factor authentication. Gemalto’s OTP implementation is based on the following principles:
• Time-based OTP token: Inside the token is an accurate clock that has been synchronized with the clock of the authentication server. The validity of the password algorithm is based on the current time in addition to a secret key (shared with the server). This provides additional security.
• Event-based OTP (or mathematical algorithm): This method is principally used by Gemalto OTP card applets. Each new OTP is created from an incrementing counter value, a secret key (shared with the server), and the token ID that through The OATH algorithm..
PKI token: PKI token stores an encrypted digital key issued from the PKI provider along with certificate and other relevant information. The token performs the digital calculation and provides physical protection and algorithm countermeasures that are resistant to known attacks—power attacks, channel attacks and brute force attacks—and uses advanced cryptographic algorithms such as RSA 2048, DSA or Eliptic curves (ECC). Today's cryptographic tokens generate key pairs on board the device to avoid the risk of having more than one copy of the private key. They are used for generating digital signatures, and for decryption of encrypted information (encrypted files or partition, encrypted emails, etc.). To further increase security, PKI authentication can be combined with data protection (encryption) and secure data exchange (secure emails, secure file transfer).
Conversely to PKI Token, “PKI software” keys are stored on laptops, tablets or smartphones. Even when protected by a key phrase, a pass phrase, or any software encryption mechanism, “PKI software” keys are target for fraud, tempering and can be compromised by malware, phishing, viruses etc. Gemalto ExecProtect solution does not rely on “PKI software” keys and certificate. Instead, key pairs are generated and kept in secure environment such as PKI tokens, PKI smartcards, HSM etc.
PKI smart cards: These physical authentication devices improve on the concept of a password by requiring users to actually have their smart card device with them to access the system, in addition to knowing the PIN, which provides access to the smart card. Smart cards have three key properties that help maintain their security:
Non-exportability: Information stored on the card, such as the user’s private keys, cannot be extracted from the device and used in another medium.
Isolated cryptography: Any cryptographic operations related to the card (such as secure encryption and decryption of data, another feature of smart cards) actually happen in a crypto processor on the card, so malicious software on the host computer cannot observe the transactions.
Anti-hammering:To prevent brute-force access to the card, a set number of consecutive unsuccessful PIN entry attempts will cause the card to block itself until administrative action is taken.
Biometrics authentication: PKI token authentication can also be combined with biometric verification providing superior two-or three-factor authentication. Biometrics authentication includes fingerprints, iris scan, facial recognition etc.
13. ExecProtect Armored Office: Solution Description v1.0
The following table summarizes the different use-cases and functionalities of Authentication methods. Authentication Method Authentication factor Data protection - Secure data exchange Logical Access Physical Access Laptop / Desktop Mobile / Tablets Password or PIN What I know (PIN) OTP Token What I have PKI Credential What I have (W8Pro) (Badge) Biometrics What I am (W8Pro)
Figure 1: Authentication method use cases
14. ExecProtect Armored Office: Solution Description v1.0
3 Overview of ExecProtect
3.1 ExecProtect Offer
Cards &Tokens
•ID Prime .NET 51x , .Net Bio 550x
•ID Prime MD 3810, MD 810
•ID Prime PIV
•ID ProveOTP (App, Display)
MiddeWare
•ID Go 500(.Net) & 5500(.Net Bio)
•ID Go 800 (MD & .Net)
Administration
•CardMgt System (CMS):
•IDAdmin200 (Vsec CMS:T-Series )
• Integration Microsof t FIM,
• Integration Intercede MyID,
OpenTrust,..
• Corporate PasswordManager :
•CEPM: Corp Emergency Password
•CAPM: Corp Administration Password
• EnrollmentManager (project mode)
Support Tools
•Training / Commissioning
•Techno PartnerShip
OTP Server
•IDConfirm 1000
Integration
Provided by GTO
Provided by Channel Partners
PKI / CA
•IntegrationMicrosof t AD CS, Keynectis,..
Support
New Feature
Readers
•ID Bridge CT series
•ID Bridge CL series
•ID Bridge K series (K3000)
Secure Credentials
& Interface devices
Identity & Credential
Management
Authentication
Secure Acces
•Integration with UAG, IBM Security Access Manager
(ISAM) , eSSO (Evidian), etc..
Figure 2: ExecProtect Overview
Gemalto ExecProtect is a comprehensive solution that enables multi-factor authentication
deployment projects involving PKI tokens, readers and middleware, but also all associated
sub-systems such as card management systems, corporate password manager, service
bureau, PKI, OTP server.
ExecProtect relies on a strong ecosystem developed by Gemalto and its partners and that is
backed-up by the proven expertise of the Gemalto Professional Services team to provide
integration and support.
In the past, smart badge deployment projects have often been regarded as complex and
difficult to launch smoothly, Gemalto ExecProtect aims to provide an end-to-end solution that
covers all the phases from migration to multi-factor authentication and ensures a seamless
project execution. This encompasses the following phases:
Enrollment
Credential issuance or provisioning
Development and integration
Deployment and training
Support and maintenance.
15. ExecProtect Armored Office: Solution Description v1.0
3.2 Functional Description / Use cases
Secure Identity Logon
Secure Remote Access
Data Protection: Whole Disk, File or Folders encryption
Email Encryption / Digital signature
Applications
Scenarios
On-Line / Off-Line Modes
Lost / Stolen / Forgotten Credential
Figure 3: ExecProtect Use Cases
3.2.1 Authentication
Gemalto ExecProtect solution provides multi-factor authentication methods for logical access
control based on Windows logon, application or Web application logon
PKI credential-based Authentication
o 2 factor authentication (2FA)
PKI credential multi-factor authentication with something you know (the PIN Code) with something
you have (the PKI token, SmartCard,..)
o 3 factor authentication (3FA)
PKI credential multi-factor authentication with something you know (the PIN code) with something
you have (the PKI token, smart card) and something you are (bio fingerprint, iris scan, facial
recognition)
OTP authentication
OTPs are a form of multi-factor authentication, which complements access security based on
something you know (the password) with something you have (OTP token, OTP mobile
application, OTP SMS message etc.)
3.2.1.1 Windows logon using Gemalto IDPrime PKI credential with PIN
or Biometric fingerprint
In this use case, Windows logon is configured by inserting the PKI credential and
entering either a PIN (Using IDPrime .NET or MD) or scanning your finger
(IDPrime .NET Bio cards). A specific security policy can also be enforced to
request PIN and fingerprint matching (3FA).
Figure 4: Windows Credential Provider Logon
On appropriate NFC devices (laptop, tablets or NFC external readers), the smart
card logon can be performed by “tapping” IDPrime MD to the NFC reader. The
16. ExecProtect Armored Office: Solution Description v1.0
process of reading is extremely fast and the user is then prompted to enter the
PIN.
Figure 5: Windows logon using NFC
3.2.1.2 Authentication to SharePoint using IDPrime MD or IDPrime .NET
with PIN or/and biometric fingerprint
Forefront Unified Access Gateway (UAG) provides remote client endpoints with
access to corporate applications, networks, and internal resources via a Web
portal or site. Forefront UAG product documentation is organized into content
categories.
In this use case, Microsoft Forefront UAG will become an SSL gateway with
strong authentication for protecting access to Microsoft SharePoint. UAG will
enable SSO (single sign-on) to improve user experience.
The user is able to access SharePoint services with their PKI Credential entering
a PIN code or using biometric feature.
Active Directory
user1
SharePoint
UAG
Figure 6: Multi-factor authentication to SharePoint architecture
3.2.1.3 Implementing strong authentication when accessing the Office
365 Web Interface
In this use-case, the user is able to authenticate to Office 365 portal using PKI
credential authentication. This only requires a modification of the ADFS system
configuration present in the Active Directory domain to change the behavior and
prompt the user for introducing the smart card and PIN (or/and Biometrics).
Figure 7 Multi-factor authentication to Office 365
All of the above authentication use cases can be experienced on a Win8 Pro on
tablet using PKI credential logon such as a smart card in contact or in NFC mode
or a token in USB connection.
17. ExecProtect Armored Office: Solution Description v1.0
Figure 8: logon with a smart card in NFC mode on Windows 8 tablet
3.2.1.4 Converged badge for physical and logical access control
The Gemalto PKI badge enables to combine logical authentication with physical authentication compliant with legacy proximity readers such as HID Prox technology, MIFARE or DESFIRE.
The benefits of the converged badge are:
• Enhances protection for access to network connections, applications, data and communications
• Provides a platform to expand security policies with pre-boot authentication, digital signature, file encryption and other PKI services
• Reduces costs and resources needed for password support
• Improves productivity and convenience with secure access to corporate assets for employees and partners outside of the internal security perimeter
• Helps comply with regulations and standards mandating strong authentication.
As an example, IDPrime PIV smart cards feature a dual interface for use with contact and contactless smart card readers, a necessary component for PIV compatibility. They can be used with existing standalone and PC-based smart card readers. The tri-interface versions can be used with legacy proximity readers (based on HID Prox technology) that had been frequently used within government agencies in the past.
Figure 9 : PIV ID card
3.2.1.5 Migration path from OTP Authentication to PKI token authentication
IDPrime .NET 7510 Display Card combines in a credit card format, an OTP token device that provides a simple solution for secure remote access with strong authentication with a PKI digital key and certificate embedded in a Gemalto .NET card module.
When the button is pressed, the card displays an OTP value, which is then typed by the user on his PC keyboard. On the remote application side, the OTP number is checked using the IDConfirm 1000 server. No other external connection, client software or specific PIN is required. The.NET card offers the possibility of smart card logon, data protection and signature.
Figure 10 IDPrime .NET 7510 Display Card
This form factor offers a perfect combination of OTP authentication (Windows Logon, authentication to servers etc.) with PKI encryption that can be used in data protection, email encryption, document signature etc., within one device. This solution can also be used by organizations that plan to replace OTP tokens with all-in-one devices or need a migration to PKI deployment.
3.2.2 Data protection
Email encryption is a recommended additional security for all communications between executives and board members. By using certificate-based credential security, executives can choose to encrypt their email containing sensitive information. A security breach of an executive’s laptop may occur at a border checkpoint when traveling internationally, if their laptop gets lost or stolen, or in case of Trojan or other attacks on networks or endpoints.
18. ExecProtect Armored Office: Solution Description v1.0
These scenarios represent a significant threat for company and corporation that can be prevented using Protiva ExecProtect.
3.2.2.1 Email encryption
In Outlook, users need to go to “Options” tab to reach the options of “Sign” and “Encrypt”. In OWA, an S/MIME control plugin shall be installed.
It is not possible to send an encrypted email to a user that does not have a certificate:
• Within the organization (same domain), the
recipient is required to enroll a certificate in the
Active Directory (AD) prior to exchanging
encrypted emails.
• Outside the organization, recipient and sender shall first exchange their signatures (via signed emails) to register their certificates prior to exchanging encrypted information.
Figure 11: Email encryption with outlook and OWA
3.2.2.2 Disk or data encryption
An end-point encryption tool such as BitLocker prevents unauthorized data disclosure by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
Two possibilities of usage:
• When used for hard disk encryption, BitLocker requires pre-boot authentication. This can be configured to enforce the use of PKI
credentials (with PIN and /or biometric authentication).
• When used for partition encryption, BitLocker can encrypt USB drive (such as K3000 public partition). It is recommended however that the recovery key is saved on a secured location (such as K3000 private
partition).
ID Bridge K3000 is thus an essential companion of the PKI credential (badge or smart card) for storing the backup recovery key in its encrypted partition (encrypted by hardware controller). The backup recovery key is a plain text key that is used to access the encrypted data in case the PKI credential is lost or stolen. It is highly sensitive information that must be protected from unauthorized access.
19. ExecProtect Armored Office: Solution Description v1.0
Figure 12 Gemalto IDBridge K3000 architecture
Figure 13: BitLocker drive encryption
The above listed data protection use-cases can also be
performed on a Win8 Pro device such as a tablet with
PKI Credential as smart card in contact or in NFC mode
or a token with USB connection.
3.2.3 Secure channel
3.2.3.1 Integration with Microsoft DirectAccess
In this use case, we carry out a configuration of DirectAccess to use smart card authentication
for the user tunnel. DirectAccess will use two tunnels:
• The first tunnel (“infra tunnel”) is dedicated for authentication.
• The second tunnel (“user tunnel”) is dedicated to the application that will use the
smart card authentication method.
Active Directory
user1
user2
Exchange
DirectAccess
User Tunnel
Infra Tunnel
Figure 14 Architecture of strong authentication on DirectAccess
20. ExecProtect Armored Office: Solution Description v1.0
As a result, even if user logs-on with usual authentication method (user/password) on his laptop (1FA), the system will prompt the user to insert a smart card when he tries to access a server that is available on the “user tunnel”,
For example, if we try to open Outlook or OWA on this Windows 8 client, we have:
Figure 15 Smart Card authentication on DirectAccess
3.2.3.2 Integration with other VPNs
Integration with CheckPoint EndPoint Security Access VPN: The Check Point Endpoint Remote Access VPN software provides users with secure, seamless access to corporate networks and resources when traveling or working remotely. Privacy and integrity of sensitive information is ensured through multi-factor authentication, endpoint system compliance scanning and encryption of all transmitted data CheckPoint Endpoint security VPN.
3.2.4 Signature
Digital IDs help validate your identity, and they can be used to sign important documents electronically.
Document signature from Microsoft Office or Adobe Writer
Microsoft Office or Adobe Writer can be used for signing documents digital IDs using use advanced algorithms --like the elliptic curve public key algorithm – (ECC) (supported by Windows Vista). Since Office 2010, it’s now possible to use XAdES.
Document signature can be performed in 3 different ways:
• Signature certificate provided from a public certificate authority.
• Signature certificate provided by a private public key infrastructure such as Microsoft AD CS (Certificate Services). For this scenario, digital certificates will be stored in a smart card.
• Signature of document without a certificate authority
3.2.5 Secure browsing
The browser is the central application for accessing on-line services through Web pages and performing eBanking and eCommerce operations. It is the security processor for performing sensitive cryptographic operations such as enabling SSL connections and it is the repository for storing user credentials such as private keys and certificates and enabling trust chains between certificates. The browser also impacts the end-user’s privacy with bookmarks and navigation history.
As a consequence, the browser is the weak security point of on-line services and it has become now the main target of hackers.
Currently available on “project base” (i.e: upon specific requirements and specific quote), Gemalto Armored Browser combats increasingly complex cyber threats by providing optimal security. It is modular and flexible and it can integrate particular requirements (e.g. PKI).
It is deployed as an application within Gemalto IDBridge K3000.
Key Benefits are:
Zero footprint using USB HID Mode
21. ExecProtect Armored Office: Solution Description v1.0
Includes up to 3 factors of authentication
Includes system authentication of designated sites. Protects against the most
advanced malware threats
Write protection of key elements,
Ability to update/upgrade solution,
Embedded key logging protection,
Certificate CRL/OCSP support
Since Mobile devices are particularly exposed to attacks, Gemalto Secure Browser on
IDBridge K3000 provides additional security for tablets running Win8 Pro. With K3000 in USB
HID mode, the installation and execution of the browser application requires a “zero footprint”,
and the integrity of the confidential data is guaranteed as the application executes in its
“sandbox”.
When a user double-clicks on the
desktop icon or runs the ID Bridge K3000
USB it automatically loads the
customized browser and authenticates
the designated site— while the server
authenticates the user (and the device)
by checking the client-side certificate and
hardware ID. The user then simply enters
the third factor of authentication
(username/password/PIN) which is
automatically protected from spyware by
patented anti-key-logging technology.
Figure 16 Gemalto secure browser on
Win8 Pro tablet
3.2.6 Failover mode
Any time an executive or employee travels or works outside the office, they run the risk of
losing their credential. Sometimes, the badge may be forgotten in a hotel room, in a public
location or a boarding lounge of an airport.
This creates a major concern to ensure the executive will still be able to use his laptop or
tablet, logon and access his personal information and resources (encrypted email, encrypted
files or folder), and be able to connect to corporate network or to exchange with his
colleagues and peers with the same level of security in the absence of his credential.
Gemalto ExecProtect “failover” mode addresses this use-case by providing adequate
solutions that meet the requirements of organizations of different sizes. It is operational in on-line
and off-line mode providing the user with a continuity of service, easy to use and user-friendly
solution that would fit with most situations that can be encountered when the
executive is in a remote location, visiting his prospects or customers without possibility of
network connection, back in hotel room etc.
3.2.6.1 Smart card logon and CEPM
The Corporate Emergency Password Manager (CEPM) is a software component that
manages and generates the user password according to a group policy security. The
passwords are computer generated and regularly modified (time based or event based
such as upon a successful logon).
Depending on the frequency of password updates, it becomes practically impossible for a
user to memorize all the passwords. Since the password is computer generated, it uses the
22. ExecProtect Armored Office: Solution Description v1.0
full range of available characters (54 chars) and its length can be configured to render any
brute force attack inefficient.
In case of a lost or forgotten credential, the executive can contact the IT administrator to
obtain the password that will be communicated by different available media such as vocal,
phone, SMS etc.
In normal configuration, the smart card logon and the user password credentials both
coexist and are allowed by the security group policy. But since the login/password is
constantly modified and difficult for a human to remember, the smart card logon is therefore
“de-facto” enforced and it ensures a multiple-factor authentication. From a practical point
of view, user-password will only be used for exceptional cases such as failover mode.
3.2.6.2 Smart card logon and OTP
The OTP logon can also be used as an effective “failover” mode when the credential is lost
or forgotten. Gemalto ExecProtect offers several scenarios to generate and use the OTP
logon. This solution is operational online. The offline Mode will be available soon.
ExecProtect includes an OTP credential provider that associates login/password with OTP
to provide a two-factor authentication.
CEPM
Login/Passwd Logon
Smartcard Logon
Passwd update
(if online)
PKI enabled Applications
Standard Use
(Smart Card logon)
Fallback Case
(Smart Card Unavailable)
Network Controlled
Smart Card (NCSC)
Secured Connection
(SSL)
HSM
SmartCard Logon + CEPM SmartCard Logon + OTP
Id Confirm1000
Login/Passwd Logon
Smartcard Logon
PKI enabled Applications
Standard Use
(Smart Card logon)
Fallback Case
(Smart Card Unavailable)
Network Controlled
Smart Card (NCSC)
Secured Connection
(SSL)
HSM
Acknowledgement
Figure 17 CEPM and OTP scenarios of “failover” mode
OTP can be supplied in several ways:
• SMS-OTP: The OTP is computed by IDConfirm server. After successful
authentications of the user and supervision by the administrator, ID Confirm calculates
the OTP and communicates to the user by SMS. Upon reception of the OTP on his
mobile, the user may proceed with login authentication on his laptop or
tablet by entering his login/password and OTP.
• Mobile OTP – IDProve200: This application installed on the mobile phone
and allows users to securely generate an OTP using their mobile phone as a
token. This solution is a combination of security and convenience of OTP
generated on a mobile device
• Token – OTP (Display Card IDProve 700 – Token IDProve 100)
o IDProve 700 Display Card is a credit card format OTP
token device that provides a simple solution for secure
remote access with strong authentication
o IDProve 100 is an unconnected OTP device that provides a
simple solution for secure remote access with strong
authentication
23. ExecProtect Armored Office: Solution Description v1.0
4 Detailed Offer
4.1 Product description
4.1.1 Cards and tokens
Most organizations use an identification badge for employee physical access to buildings and secure areas and sometimes for payment at the cafeteria or vending machines.
Gemalto provides strong authentication solutions based on an extensive portfolio of products that combine logical access control with physical access control with smart cards for corporate badges, OTP tokens and associated server software, PKI middleware and card management systems.
Additionally, Gemalto is a leader in smart card personalization and offers services for enterprise badge personalization to enterprises around the world.
Benefits of the converged badge are:
• Enhances protection for access to network connections, applications, data and communications
• Provides a platform to expand security policies with pre-boot authentication, digital signature, file encryption and other PKI services
• Reduces costs and resources needed for password support
• Improves productivity and convenience with secure access to corporate assets for employees and partners outside of the internal security perimeter
• Helps comply with regulations and standards mandating strong authentication.
4.1.1.1 IDPrime .NET
IDPrime .NET cards put state of the art technology to the service of organizations committed to take their IT IdA infrastructure to the next level. IDPrime .NET comes equipped with support for two different 2FA technologies: OTP and PKI, plus mini driver architecture meaning no middleware to deploy, maintain and support for all applications that support base CSP
With Gemalto .NET technology, you benefit from unparalleled level of integration with Microsoft's platforms and solutions: Native support by all Windows OS from XP to Windows 8 and their associated server versions.
IDPrime .NET cards are also fully compatible with Forefront Edge, Active Directory Domain Services and Certificate Services and can be supported by most card management systems such as Microsoft's FIM - ILM CMS, Versatile , etc.
With Gemalto .NET implementation, encryption and digital signature services become easier than ever.
The proposed solution is based on the .NET enabling a wide range of services and solutions such as:
VPN access
24. ExecProtect Armored Office: Solution Description v1.0
Strong authentication on Web applications
E-mail, files and directories encryption,
Smart card log-on on windows session,
Electronic signature,
OTP generation
Embedded on contactless card bodies, the .NET card can be used for physical access and
contactless applications:
Canteen payment, time attendance & control
Access control, buildings, parking garages, etc.,
Figure 18 Protiva IDPrime .NET smart card and badges
4.1.1.1.1 Key Benefits
Unparalleled Integration with Microsoft Identity and Access Ecosystem
Support for certificate-based and one-time password based strong authentication
Compliance with Microsoft Minidriver specifications version 7
Support for Windows, Linux & Mac operating systems
1st ever .NET Framework implementation for smart cards
Strong smart card security
Smart card integration with Web services
Large enterprise device administration through OpenTrust SCM, InterCede MyID or
Microsoft's ForeFront Identity Manager, IDAdmin 200
4.1.1.1.2 .NET smart card security
The security model of the .NET smart card falls into three categories:
User Security—IDPrime .NET smart card is designed to be able to provide secure,
interoperable storage space. Following Web security standards and access controls, the
smart card can serve the user data based on the rules for that user.
Application Security—Applications deployed on the .NET smart card are always signed
assemblies. The public-key token of the signed assemblies is used to grant or deny privileges
to a given application. For example, a library assembly installed on the card might restrict
unknown assemblies from using its API.
25. ExecProtect Armored Office: Solution Description v1.0
Data Security—Data for IDPrime .NET applications can be stored either internally to the application or in the .NET file system. Applications using the file system can be assured that file-based data is secured by access control lists associated with the public-key tokens of on- card assemblies
4.1.1.2 IDPrime .NET Bio
4.1.1.2.1 Functional description
IDPrime .NET Bio is an innovative software solution that provides fingerprint biometric support for Gemalto .NET smart cards integrated with Microsoft Windows platforms (since Windows XP).
IDPrime .NET Bio enables fingerprint match-on-card user authentication as an alternative or complement to smart card PIN verification. This in turn gives access to the digital certificates on the card that can then be used for logon, digital signature, file encryption, secure VPN access among other services.
This solution provides a secure two or three factor authentication. It provides additional convenience to the users, it is easy to deploy and to manage, and is fully compatible with the smart card security components available in Windows Operating Systems.
It is also compatible, with the vast majority of fingerprint sensors available in the market.
4.1.1.2.2 Features:
• No compromise on security : The .NET cards have multiple hardware and software countermeasures against various attacks
• Fingerprint storage and fingerprint verification performed on-card (up to 10 fingerprint templates)
• Compatible with standard fingerprint sensors representing 90% of the market
• Four different modes for card authentication: PIN only, fingerprint only, PIN or fingerprint, PIN and fingerprint
• Integrated with Microsoft Operating Systems, Microsoft applications and 3rd party applications that support Microsoft's Windows Smart Card Framework (and Windows Biometric Framework for the Windows 7 version)
• OTP option: IDPrime .NET can have an optional onboard OATH OTP applet, offering a very flexible authentication service, combining both PKI and OTP.
4.1.1.2.3 Benefits:
Security: Optional three-factor authentication (token, PIN and fingerprint)
Security: Biometric credentials securely stored on smart card. Not susceptible to service outages and man-in-the-middle attacks
Convenience: Roaming (user can use fingerprints and certificates stored on the card to authenticate on any computer)
Convenience: Fingerprints used instead of the smart card PIN – Easier to use, no forgotten PIN issues (improved user acceptance and adoption)
Privacy: Match performed on the card (biometric credentials never leave the card)
Non repudiation: User cannot deny having operated the application or the transaction
Compliancy: Certain countries have regulations preventing storage of biometric data in central repositories.
Technology: Maturity, accuracy and performance
Cost-savings: Eliminates expensive and complex password administration.
26. ExecProtect Armored Office: Solution Description v1.0
4.1.1.3 IDPrime MD
4.1.1.3.1 Presentation
IDPrime MD smart cards are designed for public-key based applications, and come with a minidriver that offers a perfect integration with native support from the Microsoft environments, from Windows XP to Windows 8 (without any additional middleware).
IDPrime MD smart cards offer all the necessary services (with both RSA and elliptic curve algorithms) to secure an IT security and ID access infrastructure. Their PKCS#11 libraries extend the compatibility of these smart cards to any type of applications, and any environment (Windows, MAC, Linux) that may be in used in an IT security solution.
ID Prime MD can be provided in two contact interface capabilities:
• The IDPrime MD 3810 is a dual-interface smart card, allowing communication either via a contact interface or via a contactless ISO14443 interface, also compatible with the NFC standard already widely used by smartphones and tablets.
• The IDPrime MD 830 is a contact interface smart card, which will be FIPS 140-2 Level 2 certified (on-going).
4.1.1.3.2 Additional features
• No compromise on security: As reflected by the FIPS 140-2 Level 2 certification (on- going) for IDPrime MD 830 of both the operating system and the PKI applet, the IDPrime MD smart cards implement the most advanced security countermeasures for enforcing protection of all sensitive data and functions in the card.
• Fingerprint storage and fingerprint verification performed on-card (up to 10 fingerprint templates) / compatible with standard fingerprint sensors representing 90% of the market
• OTP option: IDPrime MD cards are multi-application smart cards, and can have onboard the optional OATH OTP applet, offering a very flexible authentication service, combining both PKI and OTP.
• MPCOS option: IDPrime MD cards are multi-application smart cards, and can have onboard the optional MPCOS applet, which offers both e-purse and data management services.
• Cryptographic algorithms: Symmetric (3DES, AES up to 256bits), Hash (up to SHA 512), PKI (RSA up to 2048 , ECC up to 521bits, on-board key generation)
• PIN : on-board PIN policy, multi-PIN support,
• Communication: MIFARE Classic Emulation, NFC
4.1.1.4 IDPrime PIV
The IDPrime PIV smart card is for government employees, contractors, first responders, enterprises and other organizations requiring compliance with the United States Government specification Federal Information Processing Standard (FIPS) 201, Personal Identification Verification. The IDPrime PIV Card v2.0 is the latest in the Gemalto product line to support this standard.
IDPrime PIV consists of the PIV card application (applet) and Gemalto’s IDCore family of Java cards. The Protiva PIV applet implements the card-edge APIs and data constructs specified by the FIPS 201 standard.
The IDCore card platform provides the underlying card operating environment, security architecture, and cryptographic capabilities. The resulting line of secure and powerful IDPrime PIV cards provides the advanced features needed for employees to authenticate into physical and logical security systems that are interoperable with the FIPS 201 standard.
27. ExecProtect Armored Office: Solution Description v1.0
4.1.1.4.1 Additional features
• No compromise on security: The TOP Java Cards have multiple hardware and software countermeasures against various attacks
• All optional and mandatory PIV data objects
• Flexible data model to create PIV data containers with their own access control rules
• Cryptographic algorithms: Symmetric (3DES, AES up to 256bits), Hash (up to SHA 512), PKI (RSA up to 2048 , ECC up to 521bits, On-board key generation)
• PIN: On-Board PIN Policy, Customizable PIN and Admin Key value, length, diversification and retry counter
• Communication: MIFARE Classic Emulation, Contactless interfaces: ISO 14443 type A or type B, T=CL up to 848 Kbps
• OTP
4.1.1.5 Integration of IDPrime onto contactless card body for access control
4.1.1.5.1 Hybrid card body applications
Hybrid card bodies are contactless options compliant with any Gemalto smart card (Protiva IDPrime.NET, Protiva IDPrime MD, IAS, PIV). Hybrids are ideal for building an application based on a contact/contactless badge. With this option, the same smart card embeds both a PKI contact application, ensuring logical access control, and a contactless application, ensuring physical access control.
Hybrid card body options include Mifare, DESFIRE card bodies and HID card bodies. Other types of card bodies can also be envisaged (MOQ: 1000)
4.1.1.5.2 Hybrid card body benefits
The Hybrid card body option is the straight forward solution to combine logical access control and physical access control.
Future evolutions are also significantly facilitated, since it will be possible to change one component without changing the other.
Figure 19 Converged badge – hybrid card body
4.1.2 Readers
IDBridge products are backed by more than 30 years of security and cryptography research and development, and are reliable, versatile and compliant with relevant standards and certifications for each industry. As the number one supplier of smart card readers in the world, Gemalto’s global manufacturing footprint supports any volume of product or global distribution.
The IDBridge portfolio of products includes readers for desktops, secure entry and remote access. This ensures the maximum flexibility for any use case or business environment.
IDBridge Connected Readers: Connected to a PC, laptop or thin client, these readers ensure communication between the smart card and network services. This portfolio of products includes readers for desktops, laptops and PIN pads for secure PIN entry. This ensures the maximum flexibility for any use case or business environment.
Contactless: These readers are optimum for speed and convenience when authenticating for physical or logical access. By simply waving or tapping a smart card to the reader, users are quickly authenticated and allowed access.
Dual Interface: These multi-purpose readers makes it convenient to securely access a variety of applications using both contactless and contact technologies, with one single device. These readers are ideally suited for sectors that require both technologies such as
28. ExecProtect Armored Office: Solution Description v1.0
health care, identity and access control. The IDBridge CL3000 is fully plug-n-play on Windows® OS in both contactless and contact modes, a feature unique to the Gemalto solution.
4.1.3 Administration tools
4.1.3.1 Card management system – Card issuance system
Gemalto has developed a technology partnership with Versatile Security to provide a card management offer (IDAdmin 200) that is fully integrated with ExecProtect and is based on Versatile vSEC:CMS®.
With ID Admin 200, organization can easily deploy secure tokens and corporate badges. It offers the following functionalities:
Card issuance :
o Biographical information: photo, name, surname etc.
o Certificate enrolment:
o Personalization (graphical and electrical)
Card life cycle management:
o PIN management
o Certificate management
o Card state management
The new S-Edition of vSEC:CMS has never been so easy to use and to maintain. Main features are:
• Intuitive user interface to improve operational efficiency
• No hidden costs and low total cost of ownership
• The security level is always high, no alternatives
• Large scale capabilities, available from day one
The vSEC:CMS T-Series is available in two different editions: the token edition and on the service edition (S-Edition). The token edition delivers vSEC:CMS on Gemalto’s IDBridge K3000. The vSEC:CMS T-Series stores the application, configuration settings and credentials securely on the token, thereby removing the requirement to invest in expensive server hardware.
The S-Edition of the vSEC:CMS T-Series is a client-server based version used in a terminal services environment. The S-Edition is best suited for larger deployments in different physical locations and where several operators are interacting with the smart card management system in parallel.
The vSEC:CMS T-Series is fully functional with minidriver-enabled smart cards, which streamlines all aspects of a CMS by connecting to enterprise directories, certificate authorities, physical access systems, and smart card printers. The vSEC:CMS T-Series supports the IDPrime .NET, IDPrime PIV Card and IDPrime MD.
4.1.3.1.1.1 Key Features
29. ExecProtect Armored Office: Solution Description v1.0
Figure 20 vSEC:CMS T-Series Interfaces
The vSEC:CMS has several optional connectors for different purposes. For example it can connect the smart cards to users in a user directory (MS Active Directory or LDAP) and then fetch the photo and the biographical data (name, surname, etc.) that will be used for the personalization of the badge. It can use a Certificate Authority to issue certificates directly onto the smart cards.
Note: Future versions of vSEC:CMS will integrate the portrait capture and enhancement
The management of smart cards throughout its lifecycle is broken into different processes in the vSEC:CMS T-Series application. The smart card can have a different status, depending on its status in the smart card lifecycle. Some of the statuses are highlighted below:
Figure 21 vSEC:CMS T-Series State diagram
• Register smart card/ unregister smart card: In order to register a smart card, simply attach a new, unregistered smart card to the system and click the Register/unregister button. Select the Perform batch process option if more than one smart card is to be registered at a time, which allows for a streamlined registration flow.
• PIN policy: A registered user smart card with the vSEC:CMS T-Series application can have a PIN policy set to the user smart card.
• Certificates/keys: A registered user smart card can have a digital certificate viewed, removed, deleted, imported or set as the default certificate on the smart card. It is also possible to issue certificates to the user smart card if connected to a CA.
30. ExecProtect Armored Office: Solution Description v1.0
• Update smart card: A registered user smart card with the vSEC:CMS T-Series application can have its administration key updated.
4.1.3.1.1.2 Physical and logical access convergence
Within vSEC:CMS, it is also possible to configure several connectors for PAMS (Physical Access Management System) to exchange information and data (either already implemented as EdgeConnector support, or via a plugin interface).
4.1.3.1.1.3 Administration interface
vSEC:CMS T-Series S-Edition acts gives to IT administrators the flexibility to centrally deploy applications to users, regardless of their locations.
Main features and benefits are listed below:
• Simplifies remote access
• Improves performance and accelerates application deployment
• Reduces costs
• Bolsters security
• Streamlines administration
4.1.3.2 Corporate Emergency Password Manager
Gemalto’s Help Desk Emergency Password (HDEP) solution can be used when a user has lost, forgotten or damaged his/her smart card.
The solution consists of updating the user’s domain password with a diversified password that is unknown by the user and can be computed by the helpdesk in case of emergency. In order to enable the user to connect later on the PC (with or without connection to the customer domain network) a logon script will update the Emergency Password on the Active Directory (AD) and publish it in the local Windows credential cache.
Each time the Emergency Password will be given to the user by the helpdesk, a value will be changed in AD in order to make the password different each time. This value can be based on a timestamp providing the password with a validity period. The application allows the helpdesk representative to set how many days the password will remain valid. Therefore, the password will be valid until the next logon connected to the customer domain or until the password expires.
The only piece of information that is present on the user’s computer is the local credential cache. During the logon, the timestamp based counter in AD is checked and the password is updated in the local credential cache if necessary.
The password in Active Directory is set to “never expires” and the user will not be able to change the password.
4.1.3.2.1 Initial Emergency Password setting
At the end of the card personalization process, the card management system requests the CEPM Web Service to compute an Emergency Password, and subsequently sets the user password accordingly in AD. The attribute is to “never expires” and “cannot be changed”.
4.1.3.2.2 Emergency Password computer caching
This step is done using a logon script pushed by the domain users’ group policy. Depending on the Timestamp attribute, the Emergency Password is cached on the local credential cache.
31. ExecProtect Armored Office: Solution Description v1.0
4.1.3.2.3 Corporate Emergency Password retrieval
When a user has lost, forgotten or damaged his smart card he calls the helpdesk agent. The
helpdesk agent checks the user identity (using the secret questions provided by the end user)
and then computes the Emergency Password to provide to the user. This scenario can be
done either connected to the network or out of the office. The Helpdesk agent decides
whether the Emergency Password is valid until the next successful logon or during a certain
number of days (1 day, 3 days, 5 days, 10 days).
The helpdesk agent is also able to force the reset of the password at the next logon in case of
synchronization issue. This option will reset the password timestamp and the password value.
The next time the user will logon to the network, this new password will be cached in the local
credential cache.
4.1.3.2.4 Emergency Password computation
In order to compute a unique one-time Emergency Password that can be retrieved by the
helpdesk, the password is generated by a symmetric mechanism using a piece of information
known only by the helpdesk, a timestamp and a unique user identifier. To ease the way of
spelling the password, the password is divided in 3 (three) blocks of 4 (four) digits. A
generated password looks as follows: E920-1BB0-B18A
4.1.4 Authentication solution
4.1.4.1 IDConfirm 1000 authentication server
Figure 22 IDConfirm 1000 interfaces
IDConfirm provides a two-factor authentication process; it consists of the following:
• A Web application that manages the authentication requests and responses, either
from direct Web server access or from a RADIUS agent, and provides the graphic
user interface (GUI) to manage devices, policies, roles, users, keys, etc.
• A core authentication engine that interacts with the data server, the keystore (either
a hardware secure module, or HSM, or a software secure module, or SSM), and the
cryptogram-computing modules for OTP authentication.
The IDConfirm uses a data server to access and update information relevant to the
authentication process. IDConfirm server is capable of communicating with two types of data
32. ExecProtect Armored Office: Solution Description v1.0
servers: a database server, or an LDAP directory server such as Microsoft Windows Active Directory. Depending on your specific needs, IDConfirm can be configured in either:
Database server only (“DB Only” mode)
A combination of database server and LDAP directory server (“Mixed” Mode)
In mixed mode, IDConfirm is able to access existing user information needed for authentication, such as login ID or password, in a read-only mode from a directory on the LDAP directory server. IDConfirm maintains all additional information needed in a database on the data server such as login name or phone number.
IDConfirm supports SMS OTP. A third party SMS Provider must expose a gateway to request SMS.
4.1.4.1.1 Gemalto Strong Authentication
Gemalto Protiva IDConfirm solutions include a full portfolio of products to meet the need for secure access to business resources. It is a modular system that allows businesses to choose the security level they need, from a full end-to-end system to .NET-based smart cards that leverage the card management capabilities in Microsoft Server and Windows OS.
Protiva IDConfirm relies on OATH, the result of collaboration between major actors of the security world. The goal of this common work is to define open standards, reference architecture and to promote inter- operability.
Using Protiva IDConfirm Solutions, Enterprises can deploy strong authentication for a low total cost of ownership. This is realized through packaged and plug and play solutions adaptable to existing networks and AAA servers.
Our wide range of hardware and software solutions embeds smart card technology, mobile phones offering the highest level of security for two-factor authentication. You can choose a smart card, token, Mobile phone usable in a connected or an unconnected environment according to your architectural constraints. Our software solutions are open, scalable and evaluative.
4.1.4.1.2 Strong Authentication Server
Gemalto’s Protiva IDConfirm server provides the Strong Authentication protection to Enterprises in an easy to deploy, easy to use, authentication platform.
IDConfirm server 5.x relies on a flexible architecture allowing addressing various targets from some people to millions users. This flexibility is also used to package solutions dedicated to different market segments as e-banking, enterprises, etc.
The product was designed for being easily integrated in our customers’ environment and so taking care of their investments. IDConfirm Solutions gather available components needed to build your answer to strong authentication deployment.
IDConfirm Server
33. ExecProtect Armored Office: Solution Description v1.0
4.1.4.1.3 Key benefits
A wide range of authentication methods relying on open standards: You are not
confined to a proprietary solution. Many 3rd party components exist which are
compatible with Gemalto solution via support of the Radius
protocol
A wide range of devices with various optional features:
Gemalto’s expansive portfolio will help you find a solution
that fits your needs regarding form factors, the
authentication schemas, the secure storage and access
control if needed.
Very powerful Web API for easy integration: IDConfirm
provides an extended Web API that enables control of most of
the servers features (user provisioning, revocation,
authentication, SMS request, etc.) from an external application.
A solution relying on a robust and scalable architecture: the
validation server is designed to answer the needs of millions
users and devices for e-banking use cases but it can also be
installed on a cost effective configuration to respond to the needs of a dozen users.
Gemalto never keeps the customer keys: All devices produced by Gemalto are
personalized with random keys that are not kept in Gemalto premises.
4.1.4.2 Emergency OTP - virtual tokens
Lost and forgotten devices use cases illustrate the concept of a virtual token. For example, if
a user’s device has been lost, stolen, or forgotten, he is assigned a temporary “virtual” token.
This token is virtual because it only exists on the IDConfirm Server (no physical device is
given to the user).
The only way the user can get the OTP for this virtual device is to call the help desk or access
a direct Web self-service portal. The user must know his password and the answers to all
security questions to be able to obtain a list of virtual OTPs.
To protect the system, some limitations are placed on this authentication method:
A limited number of OTPs can be given to the user per request (X). Using an OTP in
the list deactivates the earlier ones.
A limited life period is allowed for the virtual device (Y). The virtual token’s expiration
date is calculated by adding Y to the activation date. Both values are defined in the
virtual token’s associated policy. A virtual policy must have its device mode set to
virtual in the customer care portal.
Also administrators can define the mechanism for delivering virtual OTPs. There are three
options:
Display (default)
Email
SMS (like SMS OTP)
34. ExecProtect Armored Office: Solution Description v1.0
Figure 23. Operator generated virtual tokens for user
4.1.4.3 IDProve
4.1.4.3.1 IDProve 100
Gemalto offers IDProve 100 unconnected OTP devices that provides a simple solution for secure remote access with strong authentication
The standard secure exchange of provisioning files is using two different email recipients, the first one will receive the files encrypted in a zip archive, and the second recipient will receive the password of the zip file.
4.1.4.3.2 IDProve 200
Mobile OTP uses an application downloaded to the handset that allows users to securely generate an OTP using their mobile phone as a token. This solution takes advantage of the fact that people usually not without their mobile for very long. With the increasing functionality of smart phones, using the handset as a productivity tool has become common practice. With the Mobile OTP applications, users can always generate an OTP, even if they have limited or no network connectivity.
4.1.4.3.3 Features
The Mobile OTP application combines security and convenience of OTP generated on a mobile device.
Gemalto Mobile OTP supports a wide range of mobile handsets operating systems including iPhone, Blackberry, Android, Windows Mobile and other Java phones.
35. ExecProtect Armored Office: Solution Description v1.0
Mobile OTP computation method is based on time-based OTP, which means that mobile phone time is one of the parameters in the OTP computation. This is relevant both for the token, which generates the OTP and the server, which makes the same computation in order to validate the OTP received from the user. Time-based OTP contains the time stamping whereas validity period is a server parameter.
Before using mobile OTP, users must register the application. Two steps are necessary to generate an OTP:
• Run the token application
• Enter the PIN code
The generated OTP can be used along with the user’s login name
Some details on PIN Code management:
PIN is not stored on mobile, neither transmitted, nor stored on the server (patented solution)
PIN Code selected by the user (no need for temporary PIN sent to the user), can be replaced at any time (off-line)
4.1.4.3.4 SMS OTP
SMS OTPs are computed as token OTP but the device is like a virtual token managed by the IDConfirm server. When logging on to the Web portal of a company, VPN SSL client:
1. The user enters his or her user ID and password, and makes sure the mobile phone is switched on.
2. The user validates the form. If password is correct, he or she receives the OTP as an SMS message.
3. The user enters this OTP value within the new input field to authenticate to the application.
4.1.4.4 ID Bridge K3000
This unique zero footprint PKI USB device was designed and built following feedback from customers who deploy PKI solutions in their enterprise and banking environment.
ID Bride K3000 is an all-in-one device that can provide the following functionalities:
Signature and encryption (using the embedded smart card)
Secure OTP generation: Using OTP application embedded in the smart card
Secure browser: Zero footprint execution. No data is stored outside the memory of K3000
Data repository: The public partition can be used to store and exchange information like any USB Storage device.
36. ExecProtect Armored Office: Solution Description v1.0
Embedded application: the “read-only” partition may contain several applications that are executed in sandbox environment
Secure storage: Using encrypted private partition or with data stored encrypted in the public partition (such as BitLocker)
4.1.4.4.1 A Zero footprint PKI device
The K3000 is a strong, two-factor authentication device, designed to provide digital signature capabilities in a secure framework. It is made up of several components:
Hardware:
It’s a USB device which embeds a smart card (IDProve MD, IDProve .NET or ID Classic), an SD card, and a button on the side.
The button has 2 functions: it slides the USB port interface connection out of the device but it is also an action button that the end-user must physically press to confirm an operation.
Smart card:
Several smart cards can be embedded within the K3000 device: IDBridge MD, IDBridge .NET, IDClassic. They are able to store and manage various certificates, as well as other applications.
μSD Card
It can be configured to hold several partitions of different sizes (public, private or read-only).
The read-only partition contains embedded applications. All data in the μSD card is encrypted to ensure that no one can alter the data within the μSD card. The μSD card data is also remotely updatable when used in conjunction with the Gemalto Token Management System.
The access to the μSD is provided through a specific microcontroller that implements dedicated security policies. The part of the memory containing the applications is seen by the user computer system as a read only memory (CD-ROM). Therefore it cannot be affected by malware that could have affected a browser stored on a R/W device like the PC hard disk or a R/W USB memory.
4.1.4.4.2 Future proof
ID Bridge K3000 can be managed remotely, using the Gemalto Token Management System enabling updating of certificates and applications.
For example - by just adding a new URL to ID Bridge K3000 secure browser, new services can be deployed such as e.g. eSigning. Since no new hardware needs to be implemented, this is a cost-efficient way to future-proof your online channels.
4.1.4.4.3 Customizable
37. ExecProtect Armored Office: Solution Description v1.0
ID Bridge K3000 is available in 11 different colors. All are made in high quality, colored aluminium, outlining the unique design of this revolutionizing product.
4.1.4.4.4 Operation and applications
The sliding button:
a) Extend and retract the USB plug present on the device.
b) Act as an “action” button. This means that when a transaction signature is requested by the signing application, the LED on the device will blink orange. The user is prompted to acknowledge the action by physically pressing the action button on the device. This is a very important feature on the device to prevent PC replay attacks that we see becoming more prevalent in the industry.
4.2 Professional Services offer
In addition to products and solutions, Gemalto provides Professional Services to help our customers and consult with our partners to help deploy solutions to end users. Professional Services offer can range from providing consulting to delivering a turn-key solution.
Gemalto Professional Services is a skilled team specializing in strong authentication deployment projects involving PKI credential or OTP, as well as associated components such as card management systems, service bureau, PKI as well as application software such as signature or encryption solutions..
Gemalto Professional Services can provide end-to-end solutions comprising best-in-class technologies when it comes to PKI, smart cards and certificate lifecycle management. In case customer-specific developments are needed, such as multi-workstation logon or other bespoke solutions, Gemalto Professional Services is able to either work with partners or launch specific developments to closely fit customer requirements.
4.2.1 Integration services
4.2.2 Professional Services overall project approach
The overall delivery project is managed through the standard Gemalto Delivery Project methodology that involves a dedicated project team and a proven project management approach.
The following schema gives an overview of the main steps and milestones of project methodology. This project workflow is adapted according to the different project specificities in order to provide our customers with the best project management and guarantee the best solution delivery.
38. ExecProtect Armored Office: Solution Description v1.0
Design, Specifications: This involves architecture audit, design of detailed functional specifications, architectural design and planning review. During this phase, the solution is comprehensively defined with inputs on the following phases to ensure a smooth migration between phases. Several meetings and workshops (phone calls, video conferences, face-to- face meetings) will be organized by Gemalto. At the end of this phase, the solution requirements specifications and the design of the solution will be approved by the customer.
Internal integration, development: In this phase, Gemalto manages the development and customization according to the customer approved specifications. Each component or module is separately integrated and validated within the Gemalto test environment. At the end of this phase, all developments and unit tests are completed. Test plans are delivered by Gemalto and approved by the customer.
Internal acceptance: This phase ensures that the delivered project is compliant with the requirements. Tests are performed according to the test plan in Gemalto test environment.
Site installation: The solution is installed on the customer test environment and is connected to the different interfaces. The global integration and connection tests are managed or supervised by Gemalto.
Site acceptance: This phase is managed together by Gemalto and the customer on the customer’s premises. The tests are comprehensively executed according the test plan. At the end of this phase, the customer validates the conditional acceptance provided that all critical or major errors are cleared.
Trial phase: During this period, the customer operates the solution with a limited number of users on the test or pre-production environment. The goal of this phase emphasizes the usage and operation under realistic environmental conditions. At the end of this phase the customer signs the final acceptance provided that all critical, major or minor errors are cleared. This period is also used by Gemalto to manage the handover with the Gemalto support team.
Production: After the final acceptance, the system is ready for production. The production phase includes deployment of the complete solution in the real customer environment. The Gemalto support team is now the main interface with the customer.
Project management: The project manager is responsible for delivering the project according to specifications and planning. He makes the interface between the customer and the project team and is also in charge of the quality project assurance. He organizes the progress meetings and reports all information to the customer team.
39. ExecProtect Armored Office: Solution Description v1.0
4.2.3 Project Management Consulting
The Customer/Integrator is responsible for integrating the Gemalto components within the full solution. Gemalto scope of work is to provide consulting to help the integration and the configuration of Gemalto components. The package covers:
Requirement specification: Gemalto and its partner/integrator capture customer requirements and define the solution architecture. This document is a top vision of the whole solution including architectural and functional description. It also focuses on the security requirement and the proposed security architecture and solution.
Acceptance test plan: Gemalto and its partner/integrator define an acceptance test plan that describes a list of variables to test and validate.
Integration and configuration: Gemalto and its partner/integrator provide assistance for the integration and configuration in the customer’s production environment of the proposed system.
Full site acceptance test (SAT): Gemalto provides assistance for the validation based on acceptance test plan scenario validated and approved with the customer.
4.2.4 Procurement
Gemalto offers the unique ability to deliver cards, pin mailers, readers/tokens, fulfillment, server platforms, secure data centers for hosted services and support services under one roof. As with every customer we are certain that your project is ambitious in terms of timing and delivery to the end user. But our proven flexibility in resourcing large scale projects which encompass a large number of deliverables, combined with our vast knowledge gained from similar projects, gives you the assurance we have the capabilities to deliver.
40. ExecProtect Armored Office: Solution Description v1.0
5 Reference customers
With more than 30 years of experience in the security industry, Gemalto has
significant global customer references. Top brands including Pfizer, Boeing,
Microsoft, Barclays, ABN-Amro, Shell, Nissan, Caja Madrid, BNP Paribas and many
more, trust Gemalto for their identity and access needs
5.1 Main references of PKI Solutions
Raiffeisen Bank–Bulgaria faced legacy issues with more than 150
applications with numerous passwords to remember for the employees.
Gemalto with its partner deployed a two-factor authentication solution
with RFID PKI smart card that combines logical with physical access.
Over 3,500 smart cards have been deployed and managed by Gemalto
ExecProtect Solution that includes CMS.
Through a partner in UK, Gemalto was consulted to provide a strong
authentication solution to BSkyB as a replacement of RSA tokens that
were being used by up to 4000 workers, primarily because of the cost of
renewal of tokens and software licenses. Requirements included PKI-based
converged cards that had to work with existing access control &
cashless vending systems and also be used for desktop logon, door
access, photo ID and other applications. Gemalto and our partner have
delivered around 20,000 IDPrime .NET converged cards.
Gemalto IdA Integration and Delivery team is carrying out the full BASF
corporate badge CMS integration project. The corporate badge based
on Gemalto Access TPC smart cards was deployed in 2006 only for
physical access. In 2008, Gemalto provided professional services to
enable logical access; card management relies on Intercede MyID
CMS.
UK National Health System–United Kingdom: In the biggest IT
project in the UK, Gemalto provides medical staff with a secure access
to patients' personal data through PKI authentication (more than
1 million users). Gemalto provideded PKI authentication server, smart
cards (500ku), readers, card management system and maintenance.
This complex environment includes Intercede MyID CMS deployed
through a multi-server / multi-tier architecture composed of 2000
issuance stations.
41. ExecProtect Armored Office: Solution Description v1.0
Beckman Coulter–US manufactures innovative products that simplify and automate complex biomedical testing. They have been looking for a more convenient and cost effective method to combine physical and logical access at the company’s Brea, CA headquarters and satellite offices. Several options were evaluated, but Gemalto was selected to provide an all-in-one identity solution based on the Gemalto IDPrime .NET. This solution enables Beckman to combine all the necessary security functions into one convenient form factor meeting both physical and logical security access needs
AXA technology Services–Strong authentication based on PKI Smart Card has been deployed to a broad community of traveling employees and working remotely that need to access to IT systems. The user experience has also been extended by adding support for biometric authentication. The biometric authentication solution has been deployed to several thousand of corporate employees for network logon, digital signature and secure remote access.
Pharmaceutical giant Pfizer moved to strong authentication using PKI badges to enable digital signature as a replacement of overwhelming paper forms and combine in one device (the smart card badge) logical and physical access In less than 18 months, Pfizer had rolled out a smart identity management solution to over 80,000 employees worldwide
SEW-EURODRIVE–is a world leader in drive technology and a pioneer in drive-based automation. Once the company had settled on Windows Vista as their new Desktop OS, and decided to migrate to an employee badge based on smart card technology that interfaces with a VPN solution. The only smart cards that were supported “out of the box” by Windows Vista were Gemalto’s .NET cards. Project implementation was very fast (3 months) considering it was necessary to build a new PKI, ensure co-existence with the previous system during a certain time, and implement new functionalities which were not available with the previous system.
Gemalto and our distributor in Sweden, have fully equipped SYSteam, a leading IT supplier in the Nordic region, with the Gemalto Web-hosted service for issuing and administering strong authentication devices. Gemalto’s innovation enables SYSteam IT administrators to perform day-to-day management operations for .NET devices in a secure and convenient way.
42. ExecProtect Armored Office: Solution Description v1.0
Baker Tilly has more than 1,300 associates and is recognized as
the 15th largest certified public accounting and consulting firm in
the US. Remote access to information is a must have, and high
security is essential for protection of clients’ identities and
financial assets. Strong security had to be balanced with
convenience for employees. Gemalto’s .NET Dual USB tokens
was implemented out by a value added reseller.
Valeo is one of the world’s leading automotive suppliers
employing 58,400 people in 27 countries worldwide. Gemalto
deployed a strong authentication PKI solution that combines
logical and physical access to secure a multi platform corporate
portal for employees working remotely or in the office.
SwedBank is a leading Nordic-Baltic banking group with 9.4
million retail customers and 540,000 corporate customers in
Sweden and Baltics. Gemalto deployed a turn-key solution for
corporate badge that enables secure logon, data protection (disk
drive encryption), digital signature and email encryption and
remote and physical access.
Corporate Wide deployment of 80K+ users to secure Microsoft’s
corporate network with strong authentication using smart cards
with .NET technology. Combines logical access with physical
access.
Port Huron Hospital was established in Michigan in 1882
provides a full spectrum of healthcare services. Following HIPAA
regulations, access to patient information must be secured and
the logs for any transactions on a patient’s medical must be
recorded. Gemalto deployed a solution to secure and speed-up
the access to workstations and applications to access to patient
medical records.
Jackson National Life Insurance is an $80 Billion insurance
company that wanted to transition from OTP to a more
comprehensive PKI based strong authentication. Gemalto
deployed .NET smart cards with an OTP application and ID
Confirm 1000 server.
Government of Alberta (Canada) outsources to more than 200
registry agencies that access certain government owned systems
in order to provide their services to their customers. Gemalto has
deployed a strong authentication solution including ID Prime .NET
cards.
Stockholm Town has more than 49k employees and was
requested to increase security and implement an upgrade path for
integration of future digital services. Gemalto deployed a
converged badge with ID Prime MD and Mifare emulation for
logical and physical access control.
43. ExecProtect Armored Office: Solution Description v1.0
Ministry of Labour and Social Affairs of Czech Republic is a
20,000 employees organization where Civil servants are provided
with secure badge to enter their offices, rapidly access the
ministry's network, and digitally sign and encrypt communications
compliant with legal security requirements. Gemalto has deployed
a high security smart badge combining physical and logical
access, plus visual authentication (personalization) providing
2Factor Authentication to the Ministry network.
Universitat Politecnica Cataluyna (UPC) of Barcelona,
involves 7 universities spread out among 17 different
establishments in Barcelona and 42 different departments,
comprisinga student population of 35,000. The Access to
university facilities has been unified and evoting has been
deployed to all university members (administration and students).
The student smart Badge has been sponsored by Banco