Sunday, November 27, 2005
How does authentication work in Entrust?
The process for user authentication for Entrust TruePass is as follows:
1. The user attempts to access a URL secured by Entrust TruePass..
2. The Resource Protection Service is initiated through the Session Validation Module. It verifies whether the user has been authenticated by checking for the presence of
an Authentication cookie in the request.
3. If the user has not been authenticated, the Web server redirects the Web browser to the URL defined in the configuration data file for Entrust TruePass .
4. The Authentication page is downloaded to the Web browser. The page is secured with Secure Socket Layer (SSL) protocol and includes the Entrust TruePass applet and a Login button. SSL is a requirement for all URLs protected by Entrust TruePass.
5. The user completes the fields or chooses the digital ID to be used for that session on the Authentication page and clicks the Login button.
6. Depending on the deployment type, there are multiple possibilities:‧
Roaming Profile: The Entrust TruePass applet reads the username and password, creates a password token, and sends the token, the UID and a login request to the Entrust TruePass servlets. The token (T) is created based on multiple iterations of a one-way hash function (SHA1) on the username and password supplied by the user requesting the digital identity. If the user’s name & password hash match the corresponding data in the directory, the user has now been identified and the retrieval service is initiated by Entrust TruePass.
Desktop Profile: The Entrust TruePass applet reads the username and password, creates a password token, and compares it to the included token in the profile. If the two match, then the Profile will be unlocked and made available to Entrust TruePass for use.
Microsoft Windows digital ID store: In order to confirm that the correct digital ID is used, the user must choose the identity that is to be used with Entrust TruePass for each session The Entrust TruePass applet causes the user to see a dialog that includes all available digital IDs for the current Windows session. The user chooses the appropriate digital ID, and Entrust TruePass then proceeds to logon.
Smart card user: As with the user that has a digital ID in the Microsoft Windows digital ID store, smart card users are prompted to choose a digital ID to log in with. Once chosen, the user will be required to enter the PIN that protects the smart card; successfully doing so will allow Entrust TruePass to access the digital ID and proceed with the logon.
For roaming users, if an additional factor of authentication is mandated, this data is verified after the user has been identified, but before the identity retrieval service is invoked. The retrieval service is invoked after the user identification service has completed the necessary steps to identify the user. The following describes the process of the retrieval service:
The Entrust TruePass servlets obtain the digital ID securely through the use of the SPEKE protocol.
The Entrust TruePass servlets decrypt the outer layer of the double-encrypted digital ID and sends it to the Entrust TruePass applet. The digital ID is still protected by 128-bit encryption and the SSL connection.
The Entrust TruePass applet removes the final 128-bit layer of encryption and logs the user into the digital ID.
Once a user’s digital ID is available to Entrust TruePass, the secure session is established through the following steps:
1. A challenge-response mechanism confirms that a valid Entrust TruePass user is communicating with the Entrust TruePass server components
2. Once the challenge-response activity has been completed, the Entrust TruePass servlets also initiate the User Management Service to facilitate revocation checking and user status. If the user has not been revoked, an Authentication session cookie is sent to the Entrust TruePass applet and stored in browser memory.
3. The User Management Service verifies whether the identity is in a key update transition period. If it requires updating, Entrust TruePass automatically manages this process in a standard transparent Entrust manner (please refer to “User Management Service” for more details)
4. The Entrust TruePass applet redirects the Web browser to the URL the user initially attempted to access.
1. The user attempts to access a URL secured by Entrust TruePass..
2. The Resource Protection Service is initiated through the Session Validation Module. It verifies whether the user has been authenticated by checking for the presence of
an Authentication cookie in the request.
3. If the user has not been authenticated, the Web server redirects the Web browser to the URL defined in the configuration data file for Entrust TruePass .
4. The Authentication page is downloaded to the Web browser. The page is secured with Secure Socket Layer (SSL) protocol and includes the Entrust TruePass applet and a Login button. SSL is a requirement for all URLs protected by Entrust TruePass.
5. The user completes the fields or chooses the digital ID to be used for that session on the Authentication page and clicks the Login button.
6. Depending on the deployment type, there are multiple possibilities:‧
Roaming Profile: The Entrust TruePass applet reads the username and password, creates a password token, and sends the token, the UID and a login request to the Entrust TruePass servlets. The token (T) is created based on multiple iterations of a one-way hash function (SHA1) on the username and password supplied by the user requesting the digital identity. If the user’s name & password hash match the corresponding data in the directory, the user has now been identified and the retrieval service is initiated by Entrust TruePass.
Desktop Profile: The Entrust TruePass applet reads the username and password, creates a password token, and compares it to the included token in the profile. If the two match, then the Profile will be unlocked and made available to Entrust TruePass for use.
Microsoft Windows digital ID store: In order to confirm that the correct digital ID is used, the user must choose the identity that is to be used with Entrust TruePass for each session The Entrust TruePass applet causes the user to see a dialog that includes all available digital IDs for the current Windows session. The user chooses the appropriate digital ID, and Entrust TruePass then proceeds to logon.
Smart card user: As with the user that has a digital ID in the Microsoft Windows digital ID store, smart card users are prompted to choose a digital ID to log in with. Once chosen, the user will be required to enter the PIN that protects the smart card; successfully doing so will allow Entrust TruePass to access the digital ID and proceed with the logon.
For roaming users, if an additional factor of authentication is mandated, this data is verified after the user has been identified, but before the identity retrieval service is invoked. The retrieval service is invoked after the user identification service has completed the necessary steps to identify the user. The following describes the process of the retrieval service:
The Entrust TruePass servlets obtain the digital ID securely through the use of the SPEKE protocol.
The Entrust TruePass servlets decrypt the outer layer of the double-encrypted digital ID and sends it to the Entrust TruePass applet. The digital ID is still protected by 128-bit encryption and the SSL connection.
The Entrust TruePass applet removes the final 128-bit layer of encryption and logs the user into the digital ID.
Once a user’s digital ID is available to Entrust TruePass, the secure session is established through the following steps:
1. A challenge-response mechanism confirms that a valid Entrust TruePass user is communicating with the Entrust TruePass server components
2. Once the challenge-response activity has been completed, the Entrust TruePass servlets also initiate the User Management Service to facilitate revocation checking and user status. If the user has not been revoked, an Authentication session cookie is sent to the Entrust TruePass applet and stored in browser memory.
3. The User Management Service verifies whether the identity is in a key update transition period. If it requires updating, Entrust TruePass automatically manages this process in a standard transparent Entrust manner (please refer to “User Management Service” for more details)
4. The Entrust TruePass applet redirects the Web browser to the URL the user initially attempted to access.
Single sign-on across single and multiple domains
Most large organizations will have one primary domain, but will have several sub domains as well. They may also have multiple domains that are directly or indirectly associated and need to enable single sign-on across these Web properties. As is defined in the HTTP standard, the cookies that are used by Entrust TruePass are specific to a domain, but can apply throughout sub-domains as well as outside domains. This allows users to log into Entrust TruePass once and have access to protected resources across their Web session, which may include content from various departments, divisions, or partner companies. In this way, users are empowered with single logon to all Web resources protected by Entrust TruePass.
Entrust Services
High level services
Internet Security Consulting
Custom Application Development
Deployment Services
Training
Systems Integration Services
Customer Support
Services provided by Entrust TruePass [Technical]:
Client
· Secure Session Management
o The cookies are signed and verified intermittently by TruePass SVM.
· Accessing user identities
o User name and password are put thru cryptographic hash (SHA1). Through the Entrust authority Roaming server, the user’s digital identity is securely downloaded to the entrust truepass applet.
· Digital Signatures
o The Entrust truepass applet is able to sign data that has been targeted for signature by the user. The resulting standard is PKCS#7 object. Entrust is a CA [Certificate Authority].
· Bi-directional data encryption
o The Truepass applet can encrypt data for a target backend system. Using a valid certificate, Entrust TruePass uses strong 168-bit 3DES encryption to protect data that is being submitted. The resulting standard PKCS#7 object is transmitted securely through the Web server, and on to a back-end system. Backend systems also have the ability to encrypt HTML data for individual Entrust TruePass users. The Entrust TruePass applet will encrypt the data enabling the browser to render the unencrypted data into the HTML form transparently.
Server
o Session Validation Module
o The Session Validation Module (SVM) controls access to Web applications and content by intercepting URL requests and enforcing authentication policy decisions defined by the company. As the SVM is installed on various supported Web servers, it is configured differently for each. It is a plug-in for Netscape iPlanet™, a filter for Microsoft® IIS, and a module for IBM® HTTP Server. The Session Validation module verifies whether requests for Entrust TruePass-protected pages are from previously authenticated users.
o Entrust Truepass Servlets
o The security services provided by Entrust TruePass are provided through Java servlets installed on a supported J2EE Web application server. These servlets perform tasks including authentication verification & retrieval, server signing of data, and CRL checking of encryption certificates. There are many benefits that are gained by deploying Entrust TruePass on a Web application server, including leveraging the built-in load balancing, fail-over and high-availability features by default.
Entrust TruePass services [General]
· Automatic User Enrollment Service
o By Entrust Authority Self-Administration Server
· Authentication retrieval & Secure session services
· Resource Protection Service
· Digital Signature Service
o Message signing
o Transaction signing
· Persistent Encryption Service
· Security Management Service
o Key and Certificate Lifecycle Automation
o Key backup & Recovery
· Web Access Control Integration (Optional)
o Personalized services based on the customer logging history
Internet Security Consulting
Custom Application Development
Deployment Services
Training
Systems Integration Services
Customer Support
Services provided by Entrust TruePass [Technical]:
Client
· Secure Session Management
o The cookies are signed and verified intermittently by TruePass SVM.
· Accessing user identities
o User name and password are put thru cryptographic hash (SHA1). Through the Entrust authority Roaming server, the user’s digital identity is securely downloaded to the entrust truepass applet.
· Digital Signatures
o The Entrust truepass applet is able to sign data that has been targeted for signature by the user. The resulting standard is PKCS#7 object. Entrust is a CA [Certificate Authority].
· Bi-directional data encryption
o The Truepass applet can encrypt data for a target backend system. Using a valid certificate, Entrust TruePass uses strong 168-bit 3DES encryption to protect data that is being submitted. The resulting standard PKCS#7 object is transmitted securely through the Web server, and on to a back-end system. Backend systems also have the ability to encrypt HTML data for individual Entrust TruePass users. The Entrust TruePass applet will encrypt the data enabling the browser to render the unencrypted data into the HTML form transparently.
Server
o Session Validation Module
o The Session Validation Module (SVM) controls access to Web applications and content by intercepting URL requests and enforcing authentication policy decisions defined by the company. As the SVM is installed on various supported Web servers, it is configured differently for each. It is a plug-in for Netscape iPlanet™, a filter for Microsoft® IIS, and a module for IBM® HTTP Server. The Session Validation module verifies whether requests for Entrust TruePass-protected pages are from previously authenticated users.
o Entrust Truepass Servlets
o The security services provided by Entrust TruePass are provided through Java servlets installed on a supported J2EE Web application server. These servlets perform tasks including authentication verification & retrieval, server signing of data, and CRL checking of encryption certificates. There are many benefits that are gained by deploying Entrust TruePass on a Web application server, including leveraging the built-in load balancing, fail-over and high-availability features by default.
Entrust TruePass services [General]
· Automatic User Enrollment Service
o By Entrust Authority Self-Administration Server
· Authentication retrieval & Secure session services
· Resource Protection Service
· Digital Signature Service
o Message signing
o Transaction signing
· Persistent Encryption Service
· Security Management Service
o Key and Certificate Lifecycle Automation
o Key backup & Recovery
· Web Access Control Integration (Optional)
o Personalized services based on the customer logging history
Entrust customers
Over 1,400 government agencies and enterprises in more than 50 countries rely on Entrust to secure their digital lives and those of their customers, citizens, employees and partners.
customers include:
7 of the top 10 Global Commercial Savings Banks
8 of the top 10 E-Governments worldwide
8 of the top 10 Global Telecom companies
7 of the top 10 Global Pharmaceutical companies
8 of the top 10 Global Aerospace and Defense Companies
4 of the top 5 Global Petroleum Companies
including US Department of State, DOE and many other government agencies, banks and sensitive departments.
customers include:
7 of the top 10 Global Commercial Savings Banks
8 of the top 10 E-Governments worldwide
8 of the top 10 Global Telecom companies
7 of the top 10 Global Pharmaceutical companies
8 of the top 10 Global Aerospace and Defense Companies
4 of the top 5 Global Petroleum Companies
including US Department of State, DOE and many other government agencies, banks and sensitive departments.
entrust truepass architecture and picture
To see architecture picture, please press 'View'
Entrust TruePass characteristics:
Client Side:
Divided into multiple parts or web tiers.
Firewalls placed between these web tiers
Technical:
TruePass client component is a small java applet (~150 kb) that is transparently downloaded to a user’s browser.
Entrust supports the encryption and decryption for the user data beyond the web server, they call it as end-to-end encryption protects.
Uses 168-bit 3DES for data transfer to and from web server.
Entrust ID storage:
Roaming entrust profile – stored in roaming server
An Entrust roaming digital ID is a standards Entrust digital ID based on two key pair model, containing both key pairs and the corresponding certificates for the user. All IDs are encrypted128-bit using symmetric key. These are encrypted again to cause two-level encryption and are stored in standard X.500 or LDAP directory. Every entrust truepass session is protected with 128-bit SSL.
Desktop entrust profile – stored in the desktop
Saves ID in browser memory. Browser cookies were created to provide context-oriented applications with the ability to overcome the stateless nature of the web using HTTP 1.x standard. The session cookies are cleared when user logs off or closes the browser. These cookies contain the encrypted information that are signed TruePass and cryptographically verified by Entrust TruePass SVM (Session Validation Module)
Microsoft windows digital ID store
Smart card thru the windows security framework
Entrust General Info
Entrust Products:
Email Security
Identity Theft
Compliance
Digital Certificates
Entrust Solutions:
Secure Identity Management
Secure Data
Secure Messaging
China Digital Video Broadcast
Uses PKI (Public Key Infrastructure)
Algorithm Support
provides a broad range of algorithms, including RSA, DSA, ECDSA, AES (128, 192 and 256-bit), CAST, IDEA, DES, Triple-DES, RC-2, Diffie-Hellman, SHA (160, 256, 384 and 512-bit), MD-5, MAC and HMAC
Email Security
Identity Theft
Compliance
Digital Certificates
Entrust Solutions:
Secure Identity Management
Secure Data
Secure Messaging
China Digital Video Broadcast
Uses PKI (Public Key Infrastructure)
Algorithm Support
provides a broad range of algorithms, including RSA, DSA, ECDSA, AES (128, 192 and 256-bit), CAST, IDEA, DES, Triple-DES, RC-2, Diffie-Hellman, SHA (160, 256, 384 and 512-bit), MD-5, MAC and HMAC
Entrust two factor authentication
Entrust delivers two-factor authentication solutions using:
· Entrust IdentityGuard
Entrust USB Tokens
Smartcard integration
All of the above internally use entrust truepass architecture
· Entrust IdentityGuard
Entrust USB Tokens
Smartcard integration
All of the above internally use entrust truepass architecture
Entrust TruePass - What is it
Entrust TruePass is a Web portal security solution that allows organizations to: a) identify individuals using with digital IDs; b) provide a verifiable record of transactions with digital signatures; and c) protect sensitive data on and beyond Web servers with encryption. Entrust TruePass enables online businesses to build a more trusted relationship with their customers, suppliers and partners without deploying complex, confusing security plug-ins, and without restricting user mobility.
Entrust TruePass supports a wide range of smart cards and (USB) tokens.
Entrust TruePass supports a wide range of smart cards and (USB) tokens.