Vasco Digipass Plug-In Novell NMAS
Contents
1. we based the Digipass Family of tokens on the first two factors of the list This means that in order to enter a remote system or to digitally sign data you need the hardware device itself factor 1 This means that if you do not physically have the token you will never be able to log on to the system On top of that you need to know the PIN code for the token factor 2 to be able to use the applications stored inside Both of these factors help to make sure that a physical person is authenticating or signing instead of a computer or another device These factors also enable extremely high portability Therefore we say that you can use a Digipass token Anytime Anywhere and Anyhow Technical Description In the technical description on our Digipass Family of tokens we will elaborate on the three 3 most frequently used implementation modes of the DES algorithm in conjunction with a ASCE www vasco com Using Digipass Strong User Authentication with Novell NMAS and gt WV gt THE AUTHENTICATION COMPANY out Digipass Family of tokens These modes are the Response Only mode the Challenge Response mode and the Digital Signature mode But first we will start by showing you the complete application cycle of the Digipass token usage Databases and Files General concept for Digipass Family hardware token usage Digipass Programmer Database Encryption Key 2352 ES C0 F E0A CEFF O Eg Pq Fig 1a The first ste2. ENAN RE E AEA 32 www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt 2 WVASCC gt THE AUTHENTICATION COMPANY Overview This document shows you how Novell Chain and NMAS optimizes its authentication by integrating VASCO Digipass for strong user authentication and offering several secure web and RADIUS access solutions Situation Description As electronic connectivity where hackers viruses electronic eavesdropping and fraud can threaten the communication productivity and prosperity of business and individuals advanced network authentication based solutions are becoming a necessary component in corporate security policies Advanced network authentication lessens the threat of intrusion by requiring the users to provide stronger authentication credentials and by allowing for the creation of multi factor login sequences Ideally advanced authentication methods should be managed in a complementary advanced authentication framework that supports the access of network resources In addition the framework should be secure enough so that information accessed through one form of authentication cannot be moved to a network area requiring a different form of authentication To be more specific we need access to our resources stored on the server at the headquarter at any time from anywhere with maximum of security Solution Novell Modular Authentication Service NMAS adds value to authenticat
3. Modular Authentication Service is an extensible security product that offers you an easy way to centrally manage multiple authentication methods across your network With Novell Modular Authentication Service you can implement stronger forms of authentication and authorization to secure your critical corporate resources While removing the complexity of authentication to Novell eDirectory Novell Modular Authentication Service allows you to create a variety of flexible security options Novell Modular Authentication Service also helps remove the administrative overhead involved with maintaining password information throughout your organization With Novell Modular Authentication Service users can authenticate to the network via something they know for example a password something they have for example a Digipass or something they are for example a fingerprint By supporting the leading smart card proximity card token biometric and digital certificate vendots authentication products Novell Modular Authentication Service provides a way to centrally and easily manage your authentication methods In addition to its administration features Novell Modular Authentication Service also offers graded authentication With graded authentication you can create a security policy that grants access to your file system or directory resources based on the strength and combination of the authentication For example you can create a method that requires
4. a user to log in with a password present a valid smart card ID and successfully complete fingerprint identification By including graded authentication and support for various Novell and third party authentication modules Novell Modular Authentication Service provides you with several security options and ensures that your network will not be compromised by a carelessly handled password ICHAIN Novell IChain is an identity based security product that controls access to application Web and network resources across technical and organizational boundaries Novell iChain separates security from individual applications and Web servers This enables single point policy based management of authentication and access privileges throughout the Net Novell iChain optimizes eBusiness application development by leveraging fine grained security that transcends firewalls As a result businesses can simplify Net access and security management based on users identities Businesses can also control the use of digital assets across the extended enterprise and get more faster from investments in eBusiness applications With Novell iChain you can move your business online without sacrificing security To support your organization s transformation to eBusiness Novell iChain includes the following enhancements e Customizable login pages e Multi factor authentication a www vasco com Using Digipass Strong User Authentication with Novell NMAS
5. and gt WM gt THE AUTHENTICATION COMPANY e Proxy server clustering e Server fault tolerance e Support for Remote Authentication Dial In User Service protocol RADIUS Novell iChain is the ideal product to secure and accelerate your company s transformation to eBusiness It is also a key component of Novell Secure Access Novell s comprehensive security suite VASCO Components Description Digipasses Digipass Family of tokens is a general name used by VASCO to describe the family of handheld security devices that VASCO manufactures and markets DESK 300 DESK 850 DESK 3000 PRO 250 PRO 300 PRO 550 PRO 700 PRO 800 AE GO I GO 2 GO Digipass tokens are security devices that were originally developed as an answer to the use of easy to compromise static passwords and PIN codes because e Incorrect authentication is the single largest threat to any computer system RP VASCC www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt 2 vi gt THE AUTHENTICATION COMPANY User managed passwords are the single largest cause of incorrect authentication VASCO delivers strong authentication and guarantees data integrity for electronic transactions by means of the Digipass Family of Tokens In the concept we implemented the cures for the weak areas of authentication and data integrity To avoid the static nature of passwords we needed something that delivered dynamic password
6. office e Digipass Desk 850 can future proof an existing smart card system increase a network s security and leverage investment in a public key infrastructure PKI solution This advanced e wallet PKI device provides ultimate versatility and security supporting strong authentication and e signatures for the customers authorized to carry your smart cards e Digipass Desk 3000 is a software Digipass for laptop amp desktop VACMAN product range VACMAN Controller integrates smoothly into existing applications that require remote ACCESS VACMAN RADIUS Middleware enables strong authentication security without replacing or redesigning your remote access solution s VACMAN Server is a cross platform authentication engine designed to provide strong and seamless user authentication and access control for remote local and web based users The product supports RADIUS LAN and Web functionality o VACMAN Server for RADIUS is a standard compliant server designed to provide AAA services www vasco com Using Digipass Strong User Authentication with Novell NMAS and 72 gt WM 7 gt THE AUTHENTICATION COMPANY o VACMAN Server for Networks provides strong user authentication and access control management for RADIUS and LAN environments in a fully integrated system VACMAN Server for Web delivers access control to Web enabled applications whether Internet extranet or intranet based RD VASCC www vasco com Using Digipas
7. 2 DA Subnet ER vamPosixContig a i 6 digitalairline ER vamPosixvyorkstation H E iManage ef NwBDA IN MBDA IN l W E NWEDAT_PATRU 1 9 SSL CertificatelP M6 22 iChain_ACR AS NWEDA POOLI POC RE LDAP Serer NWEDAI Bgl Vasco Digipasses ef NWEDAT_ RESEARCH WE LOAP Group NWEDAIT Bg Vasco Digipasses Ea WANMAMLAN Area H E MVWEDAT SALES EF NWEDA1 SMS RPC ff NWWEDAI_SYS A DABroker it NWEDAT_SYS_POOL E DAP rinthagr ee PO di A E 45 items Fig 6 VASCO Digipass container will contain the VASCO Digipass token object for which you can give a friendly name Fig 6 RP VASCC www vasco com Using Digipass Strong User Authentication with Novell NMAS and lt gt v i gt THE AUTHENTICATION COMPANY te Hovell ConsoleOne Eile Eat vew NN Toos Ham ae o ae E E ADN ANOLA H E DA_Subnet W E digitalairlines_com H E iManage E NWweDAt E Ge NWRDAL_ IN es re af uwana P ablectin 7 m NWEDAL Pi EEI D TREEWasco_demo services DigitalAirlines e E MWEDAI_R Glass o H NweDAI_S e H Mwv6DAI_S n MWBDAI S ee Pa ee PrimBom ee RootServerl fag Vasco Digip fag Vasco Digip e vasco_dermd H E WebAccess i Security ES Authorized Login Methods A Authorized Post Login Meth fl Eie KAP d et NFSAdmin SE eee CE O items 3 T a ET CH Danae fe ee i E vascoDigipassToken Fig 7 For importing tokens a VASCO Digipass to
8. Customers fe Partners B Services gt Movell Metvvare amp Serv ax Movell Netware 6 User Find objects that match this criteria Object Name Object Type A Selectable Types Fage Options Services represents the Radius Dial Access Protocol Double click on Services a ASEE www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt 2 vi gt THE AUTHENTICATION COMPANY Properties of Olivier Dial Access Services Dial Access Services Temporary Login Sequence Remote Connections Security Login Methods General i Dial Access Control C Disable tf Enable C Use container setting Dial Access System i Configured Servi CR E WebAccess EE Vasco Digipasses Wi RADIUS DAS F iManage F DA_Subnet f digitalairlines com F RootServerlnto EF PririQorm F Pot Find objects that match this criteria Object Name Object Type Jal Selectable Types Page Options Select the RADIUS _DAS Service gt VAS www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt 2 vi gt THE AUTHENTICATION COMPANY Properties of Dhweer ce Basics peer Temporary Login Sequence Remote Connections Dial Access Services Securty Login Methods General lal Did Access Services Dial Access control E Disate Enable Use container setting e C
9. D Make sure the make it MANDATORY About VASCO Data Security General VASCO Data Security International Inc VDSI designs develops markets and supports open standards based software and hardware security products which manage and secure access to information and financial assets Securing trust securing value is the company s creed VASCO s range of enterprise wide products secure Internet client server and mainframe based applications and provide end to end security through RADIUS LAN and Web security PKI and LDAP enablement web portal and application security strong user authentication access control user administration and encryption VASCO s products are used by more than 7 million users by over 180 financial institutions and by hundreds of blue chip corporations and governments spanning over 50 countries VASCO is a global company with headquarters in the United States VASCO Data Secutity International NASDAQ NM NASDAQ EU VDSI a ASCE www vasco com Using Digipass Strong User Authentication with Novell NMAS and gt WV gt THE AUTHENTICATION COMPANY 1997 Web www V ASCO com CEO CEO Ren nt O President and COO Jan Valcke Employees B00 1901 South Meyers Road Suite 210 Oakbrook Terrace Illinois USA Koningin Astridlaan 164 B 1780 Wemmel Belgium VACMAN Authentication Authorization Administration AAA Security VASCO Product Range Digipass Encryption Remote A
10. O Digipass Authentication for NMAS gt VASCC gt a core F Workstation ony This product is protected by US and irr Once authenticated by VASCO NMAS presents the NDS static password as second verification Authentication settings are configured on user basis covered earlier in this paper RI VASCC www vasco com Using Digipass Strong User Authentication with Novell NMAS and gt 1 i gt THE AUTHENTICATION COMPANY Cararrinht E 1984 199 UserNamefadmin T Workstation only This product is protected by 0 RI VAS www vasco com Using Digipass Strong User Authentication with Novell NMAS and gt gt THE AUTHENTICATION COMPANY Appendix C The VASCO VRM amp Tokens work with BM BMAS VPN Services VPN Secure Authentication with The Digipass 300 and the Digipass Go with PIN RESPONSE When defining the Login Policy Rule for VPN the External Login Service Method must be defined as MANDATORY You cannot use Required if assigned So it is a global setting for anyone using VPN that will be required to use Token Authentication You will need to install the VRM from VASCO and get it working Test with a RADIUS client like NTRadPing Then configure NDS as per TID 2952863 3rd Party Authentication Server with BMEB3 5 use method one When configuring the Login Policy Object Rule Select VPN and add a Method Browse to the External Login Service that was created using the TI
11. Using Digipass Strong U User Authentication with _ Novell NMAS and ICHAIN THE AUTHENTICATION COMPANY Using Digipass Strong User Authentication with Novell NMAS and ICHAIN Contents CONTON Secs cereal cet se cg A ee caer ceset eed E E E A A E A E A E 2 OVVIO e A EE EE E E E E 3 Situation Description wn eeecseessssssssesssssssssnsssssessssssssssssstnsssssssesusnsseesesusssssessesussssesenuusssseessunssssesssunsuuassssesceunsnsseeeesansseeees 3 SOGO eea EAE E E EE E E E E E EE EEES 3 Technical C Once p E e R E E E E E E E 4 TOPO Va a RE E E AN EE E E E E ATE 4 Novell Components Description ccccsssssseesssssssssusssssssssuussssssssusssssssssuussesessuusssssssssunssssssssunsssssesesunssssssesnsessee 5 I e EE E N T TAE E N E E IN E N E A T T A E A eeaneneces 5 C RAINE a E E R ET EE ETE A AN 5 VASCO Components Descriptio essasi aE EE E E a E AEE EEEa E 6 PSU E E e E E T E A seta P EE I N T A seco bee AE E N AE E E T T 6 Datapases and Filas eee ee ee re ee ee ENAERE A 8 OME ULE ACN arim tE S ccc ecercecene ce cece ese eects ee ceo een ects gy eh ctv N teen cate essences T ete ece ete ears 9 Coniguradon OE CTIA enges E EE dear EE T E EE ART AE E EE 9 OTN SU OLR NIAS serioa E E 12 Connu ATION OF RAIS sec ceccestsc se seco E E E EEE E O E EA ETETE T 23 CAA ACL on Of VyeD ecco eee TE S O A EEEE bame esessasaceestenens 24 Eel a e EE A A EE AE E A E A A A E T E E ee ee ee re re 24 Appendix A Delta Airlines Access Examples sns
12. ccess Corporate Access Hard amp software tokens VASCO s roots are in cryptography It was the first company in the world to port the DES and RSA algorithms to a chip and also the first to develop a software product to authenticate and digitally sign e banking and online brokerage services Now VASCO secures the enterprise from the mainframe to the Internet with infrastructure solutions that enable secure e business and e commerce while protecting sensitive information and safeguarding the identity of users The company s family of Digipass and VACMAN products offer end to end security through strong authentication and digital signature enterprise Single Sign On and LAN security while sharply reducing the time and effort required to deploy and manage security Digipass product range DIGIPASS provides financial institutions and companies with a secure means of customer ot employee identification and authentication for remote access to their computer systems and networks Digipass stands for three ranges Digipass Pro Digipass Pro includes Digipass models for professional use offering dynamic password and digital signature functionality e Digipass Pro 300 is ideally suited for large public banking applications such as telebanking home banking PC banking phone banking and Internet banking where authentication and e signatures are key requirements e Digipass Pro 550 combines strong authentication e signatures and a
13. eoat NWEDAL PS NLS LSP_AWEDA E SAS Serice NWEDAT w NAASKMO NEDA Netidentity NWWEDAM w SSL CertificateDNs M w SSL CertificatelP MWG BE LDAP Serer NVWEDAT HE LDAF Group MWEDA EF MAEDA SMS RPC 24 DABroker FS DAPrinthigr RIEIES DAPrinter g NWEDA1_IMAGE_POOL g NWEDA1_POOL1 POOL gP NWEDAI_ SYS POOL Ki RADIUS _DAP EF iManage F ONS DHCR EF DA_Subnet F DHCP _NWEDAA EF digitalairlines_com ER RootServerlnfa EF DNS _NWEDAT Mo NISSERV_NWEDAI ER PrirDorn EF PO EF P0O1 Library y iChain g0 ea iChain ACR Bal Vasco Digipasses ag Vasco Digipasses As NMAS has VASCO integrated there is only the need to configure the service and activate it Configuration of a container for Digipasses is done through creating a new object in Services Fig 5 a ASCE www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt 2 WM gt THE AUTHENTICATION COMPANY fa Novell ConsoleOne File Edit View Wizards Tools Help amp My World 78 WebAccess DAPrinter i NDS 1 83 DNSDHCP GROLUP amp MW6DA1_ IMAGE POOL a DA TREE amp 3 SMS SMOR Group NWEDA1_POOL1 POOL F DigitalAirlines nisuUser g NWEDA_SYS_POOL BPM Nee Obie H B Customers Create object in A gt Novell NetWare i DA TREE Serices DigitalAirlines OK lS Movell NetvWare eee 8 Partners See Cancel 5 28 P SMS SMDR Class a ADMIN_Nywe E Template o 6
14. eseeeseeseseseseseoeosesesesesesesesesessososeseseseseseseseseeeososesseseeseresesesesesesesesssorereresesesesesesesees 25 Authentication Authorization over IChain secured ssssssesssesesesesesssseresesesrseseseseseosesesesesrsessssssssseseseseseeeeseseseseseseseseseseeesese 25 Appendix B Local Network Logon ssssseseseesssssssrsrsrsrssesesesesesssssrsrosesesesesesesesssreseseseseseseseseesesestesesesesesessesesereststsestseesesssereseseseseseseseeeees 28 VASCO Challenge Response Authentication ccssscsssscsssccsssseecssssssssscesscssssseeseseesecsessecassececssesscseaseesacsessceecasesseseacsesecsessces 28 Appendix C The VASCO VRM amp Tokens work with BM BMAS VPN Services e neeeeeesesesesesessssssesssesesesesesessesosesseesesosese 30 VPN Secure Authentication with The Digipass 300 and the Digipass Go with PIN RESPONSE ee eeeeeeeeeeeees 30 ADOUL VASCO Data SECUN oraninin an T mere nares rane ett eee Sree eer ergs EN er eee eee eee eee ee ee 30 OST A E aoe ge E A E A E EA cry E ete cao ness cde EA N tec stata eee seck sear ac eves seeps eters as E 30 Dizia SOU CE INE Coupier a cae castes cases ses EA AEEA AAE SESE A A AE 3 DIES ad gc eee epee een teen erent eee eee ee errr eee ee rere er ere ee eT rere er eee 3 TUS aE E A seat nase eee eas ee conden csc oa ace wag E E A A E A AT 32 PNAS DESK as 2 cao ea E nec n cc teeta AE tts vache cece EEA E EE 32 MACTAN OCC MUN sec cca cesar E etc ced E EEAO O OEN
15. ion while Chain offers the flexibility of connecting over several frameworks without requiring a different form of authentication VASCO Digipass adds value to this structure by requiring a non static password Digipass enables users to create a one time password OTP that safeguard access to e business and banking applications to corporate networks With a combination of information that a user needs to remember and information he gets like a one time password you eliminate the weakest link in any security infrastructure NMAS has a built in VASCO Digipass Authentication Module which verifies the OTP before granting access to secured resources CS YA hEN E www vasco com Using Digipass Strong User Authentication with Novell NMAS and lt gt 2 WAZ AS gt THE AUTHENTICATION COMPANY Technical Concept Topology Concept Fig ICHAIN NMAS communications RADIUS Netware 6 NMASS LDAP authentication Server Novell Radius Server Novell Web Server Example Digital Airlines NMASS LDAP authentication Serer Novell Radius Server Home pc Novell Web Server Digital Airlines Client waw digitalairlines com 100 0 0 1 10 0 0 20 z i www digitalairlines cam internal Interface 90 0 0 17 10 0 0 17 an amp ASEE www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt vi gt THE AUTHENTICATION COMPANY Novell Components Description NMAS Novell
16. ipass Authentication i Properties of Olivier logged in abl ran multi level administrator logged in biometric vasco token biometric amp password biometric amp password amp token biometric amp token password password amp taken token Fig 12 For each user select the authentication method Here we select the VASCO token Fig 12 Configuration of Radius Novell For detailed configuration of Radius within the Novell Radius Service we refer you to visit http Avww novell com VASCO As in this example we integrated Novell Radius Services It s also possible to use VASCO Radius Services For more information on these server products you can contact us at http Awww vasco com See appendix C ae Me ASEE www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt 2 vi gt THE AUTHENTICATION COMPANY Configuration of Web Novell For more information regarding configuration or product details we refer to http Avww novell com Other web servers services In the current scenario we used the Novell web server To find other web solutions VASCO has fully support on Apache or IS http www microsoft com http www apache org Conclusion ICHAIN and NMAS with VASCO Digipass integration secures access from any location to applications and other resources inside your network with the luxury not having to deal with complex infrastructures As the market has a variet
17. ken object is created This object will contain all Digipasses and their functions conform the initialization sheet This is also the location where a user will be assigned a Digipass Fig 7 In order to import tokens the location of the dpx file and its encryption key need to be provided ae Me ASEE www vasco com Using Digipass Strong User Authentication with Novell NMAS and gt WM gt THE AUTHENTICATION COMPANY Import Dpx files Yasco Digipass import wizard E4 gt X First type in or select the DPX Import ree ean i P Then enter the Init Key and click the Wext EWI yY SE VEE MU oe Pies button DPX File hE Init Key Back MERI Cancel Planet Help Fig 8 This is also the location where a user will be assigned a Digipass Fig 8 In order to import tokens the location of the dpx file and its encryption key need to be provided NMAS User VASCO Digipass Management Assignment users In this section we need to configure type of authentication a user is configured for and the type of services it will use in order to access its resoutces W www vasco com Using Digipass Strong User Authentication with Novell NMAS and gt WVASCC gt THE AUTHENTICATION COMPANY Mi www vasco com Using Digipass Strong User Authentication with Novell NMAS and amp My World E Airports NDS 3 Corp DA TREE B Custome
18. modern design with integrated hardcover e Digipass Pro 600 grants physical access to buildings as well as secure remote network ACCESS a ASCE www vasco com Using Digipass Strong User Authentication with Novell NMAS and lt gt 2 WY gt THE AUTHENTICATION COMPANY e Digipass Pro 700 offers sophisticated and yet user friendly strong authentication services with extended digital signature capability e Digipass Pro 800 is used by several top tier banking institutions e worldwide and is strongly appreciated by the banks and their clients for securing full access to financial applications on the existing banking network via an existing smart card in a flexible easy to use and cost effective way Digipass GO Digipass GO can be used Anywhere Anyhow and Anytime It is e security that fits in your pocket clips on your belt hangs around your neck on a key ring e Digipass GO 1 is the first born in the GO range GO 1 is an ultra portable smoothly designed token that outsmarts all others and is much safer than any static password e Digipass GO 10 is a software Digipass for GSM s integrated on the SIM card Digipass Desk The Desk range contains highly user friendly Digipass models to be used on a professional s desk e Digipass Desk 300 is a large scale security device designed for managers and executives It features remote access and authentication features and its larger size makes it very suitable for use in the
19. onfigured Serices EO al Access Semwices Conliguaation Dial Access Profile FE Senice Name Dial Access Atributes Dial Access System FRADIUS_DAS Serices DigitalAirlines Eerie fit Description We finished configuring the Radius_DAS Service Now we need to specify the Radius Protocol For example Callback Click Add to configure www vasco com Using Digipass Strong User Authentication with Novell NMAS and gt WVASCC gt THE AUTHENTICATION COMPANY f Properties of Olivier x Temporary Login Sequence Remote Connections Dial Access Services Security Login Methods General a Dial Access Services Dial Access Control Disable Enable Use container setting Dial Access System EEN DAS Services DigitalAirlines EE Coantigured Denie a Dial Access Services Configuration x Dial Access Profile EE Semice Mame DialAccess Attributes B Airports Cancel e Corp es Customers Help Partners inDigi ay Movell MetuWare 6 Serv Once again select Services gt VAS www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt 2 vi gt THE AUTHENTICATION COMPANY Properties of Olivier Temporary Login Sequence Remote Connections Dial Access Services Security Login Methods General i af i Dial Access Services i Dial Access Con
20. ost has checked the validity of the dynamic password or signature he will notify the end user of the correctness or incorrectness of the validity check Configuration Parameters Configuration of Chain Fig 2 Configuration of IP address for proxying z iChain Proxy Services Configuration Microsoft Internet Explorer l File Edit View Favorites Tools Help E Back p iE fat A Search qj Favorites History Ee kA Sa nregistered copy IP Addresses DNS GatewaylF irevyall Home Appliance Adapter etho a Subnet 10 0 0 0 System Mask 255 255 255 0 bei Addresses 10 0 0 17 Hetwork Adapter eth am L JEB Subnet 90 0 0 0 Configure Mask 255 255 255 0 Addresses mm 90 0 0 417 Monitoring AO a ate ete i ion 2 f Initializing transport lawer ap Internet 2 As access is needed from an external resource to an internal resource two subnets are configured in order to handle all requests from outside As in our example with the Delta gt VASCC www vasco com Using Digipass Strong User Authentication with Novell NMAS and lt gt 2 WY gt THE AUTHENTICATION COMPANY Airlines site web server 10 0 0 1 two subnets are configured As the local data or e business applications resides on the 10 0 0 0 subnet Fig 3 address translation will enable transparent ACCESS E iChain Proxy Services Configuration Microsoft Internet Explorer E Fie Edit Wiem Fa
21. p is the tokens are initialized with their unique set of secrets and keys per token These secrets are stored in an encrypted way on a diskette which is sent to the application owner e g the security department of a bank or the IT manager in a company These floppies are a way of safely transporting the Digipass secrets to the host computer The files on the floppy disks will be used to read all the necessary secrets and other data from the Digipasses that were delivered into a database DPX file Protected by Database Key ul u l 2 Database K ey Server Key www vasco com Using Digipass Strong User Authentication with Novell NMAS and gt WM gt THE AUTHENTICATION COMPANY Fig 1b Once this is done the application owner will assign those Digipass secrets to their end users This assignment is done based on the serial number of the Digipass token and the name of the end user The Digipass token is then shipped to the end user together with a manual and the protected PIN code on a secure PIN mailer Once the token is received by the end user he can start using it To use a Digipass you need a connection to the host server computer that knows the secrets of the end user s Digipass token Every time the user sends a dynamic passwotd or digital signature to the host computer the computer will get all the necessary information from the database and will check the validity of the password or signature After the h
22. rs S DigitalAirlines g Partners 78 Airports 8 Services 3 Corp amp Admin H E Customers amp Edward E Novell NetWare 6 Serer 600 amp Olivier 42 Novell Netare 6 User 600 amp piet B Partners Novell NetvVare 6 Serv Services Novell NetvVare 6 User 3 Security i Authorized Login Methods Authorized Post Login Method Fi KAP so NFSAdmin JE eat ed Fig 9 Fig 9 represents the DNS structure where Digital Airlines is the applicationas well as the container where all users accessing it will be registered and given permissions levels of access and type of authentication Properties of Olivier Details Last login ved Sep 1813 03 36 2002 GMT Time offset Fooo32 Logins Jooooos Fails ooo Time Step joo0036 Unlock Reset Test Free Besig Retresh ara QAD VASCO SECURITY BETONG amp MAGINATION gt Token Properties Digipass DN O09 7000003APPL1 Wasco Digipas Serial Ma poszo00003 O App Mame BPPT Auth Mode Response ony 000 Model P300 Fage Options Fig 10 Cancel Ppl Help By selecting the properties of a newly created user a Digipass is assigned to that user Fig 10 To be sure that the Digipass works fine a test can be done by entering the values presented on the Digipass into the required fields WVWASCc gt THE AUTHENTICATION COMPANY Activation Authentication Method VASCO Dig
23. s was highly portable and flexible to integrate into any environment and on top of that not expensive In other words we needed to implement strong security with a maximum of flexibility and a minimal total cost of ownership We considered security to be a trade off between security flexibility price and ease of use and therefore developed the Digipass tokens What is a Digipass token A Digipass token is a handheld device that calculates dynamic passwords also known as One Time Passwords OTP for the positive authentication of a user on a remote system It is also able to calculate digital signatures also known as electronic signatures or Message Authentication Codes MAC to protect electronic transactions and guarantee the integrity of the contents of these transactions The calculation of these OTP s and MAC s is based upon the publicly available Data Encryption Standard DES algorithm The DES algorithm is proven to be strong in numerous fields of application by renowned institutions and industry leading companies To provide an even higher level of security the Triple DES algorithm is supported as well Security has three factors e What you have the Digipass token itself e What you know the PIN code to activate the Digipass token e Who you are biometrics voice retina scan fingerprint etc Since the biometrics industry today is still in the development stage and products in this area tend to be extremely expensive
24. s Strong User Authentication with Novell NMAS and R WW gt THE AUTHENTICATION COMPANY
25. security certificate was issued by a company you have not chosen to trust Wiew the certificate to determine whether you want to trust the certifying authority E The security certificate date i walid The security certificate matches the name of the page you are trying to Do you want to proceed vian Cenilieete Connecting to site 90 0 0 17 Ze RD VASCC www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt 2 vi gt THE AUTHENTICATION COMPANY A iChain Login Microsoft Internet Explorer File Edit view Favorites Tools Help f Back g 2 fat FA Seach Se Favorites Novell iChain Proxy Services Please log in N Enter your RADIUS username and password Username Passwol Destination httas Mwww digitalairlines com Login Reset Copyright 1999 2001 Nowell Inc All rights reserved E Done 3 ea Pa ee 7 l 2 g Internet ee coe RI VAS www vasco com Using Digipass Strong User Authentication with Novell NMAS and gt WM gt THE AUTHENTICATION COMPANY Appendix B Local Network Logon VASCO Challenge Response Authentication Novell NMAS will present you the VASCO challenge which needs to be entered into a token in order to enter the correct response into the Enter password field Corncrinht E 1935 1996 mae Novell Login v4 Novell Client gt Novell for Windows i N YASC
26. trol Disable Enable Use container setting Dial Access System RADIUS_DAS Services DigitalAirlines EE Contigured Services Oooo Dial Access Profile JRADIUS_DAP Services DigitalAirlines EB Service Mame RADIUS_DAP Dial Access Attributes Miaa i Delete E Help imn Digi Select RADIUS _DAP and click OK You can rename it to Radius Dial Access Protocol eo Description When no method is specified adds default Example Radius Dial Access Protocol DEFAULT ii amp 2 ae a www vasco com Using Digipass Strong User Authentication with Novell NMAS and lt gt 2 v ALS gt THE AUTHENTICATION COMPANY NMAS VASCO Digipass import Configure VASCO Digipass container fe Novell ConsoleOne File Edit View Wizards Tools Help MDS BPF DATREE H A DigitalAirlines 7E Airports 38 Corp 4 78 Customers 42 Nowell Netivare 6 Serverte 42 Novell Netvvare 6 User BC H E DA_Subnet 4 6 digitalairlines_corn 2 iManage E NwWEDAT J E MW6DA1 IMAGE g NVWEDAT_IMAGE_POO A E NVWEDAI_PAYROLL S NVBDAL_POOL1_POC A E NVWEDAI_RESEARCH A E NVWGDAI_SALES J E NW6DA1_SYS A NVBDAL_SYS_POOL HR PO Fig 5 t 45 items E WebAccess 3 DNSOHCP GROUP amp SMS SMOR Group amp niSUser 245 NWEDAI Backup Queue gl RADIUS _DAS ADMIN MV EDA NVWEDAT IMAGE NVWEDAT PAYROLL E NWEDAI_RESEARCH E NWEDAI_SALES NVWEDAL SYS E nvw
27. vasco com Using Digipass Strong User Authentication with Novell NMAS and lt gt 2 v ALS gt THE AUTHENTICATION COMPANY Configuration of NMAS NMAS System Settings In this section we need to configure the type of services to be used in order to access its resources The services are user related Configuring Radius Access is done in two steps 1 Add the Radius Dial Access Service 2 Add the Radius Dial Access Protocol Here we can provide attributes or we can just use the default setting In this case default settings are used Properties of Olivier Temporary Login Sequence Remote Connections Dial Access Services Security Login Methods General i Dial Sccess Services Dial Access Control Disable Enable Use container setting Dial Access System configured Services Miadi m e PE Page Options ORK Cancel Apply Help Fig 4a Enable Dial Access Control In order to use Radius we need to specify Radius Dial Access gt VASCC www vasco com Using Digipass Strong User Authentication with Novell NMAS and lt gt 2 WY gt THE AUTHENTICATION COMPANY Properties of Olivier Temporary Login Sequence Remote Connections Dial Access Services Security w Login Methods General Dial Access Services Dial Access Control Disable Enable C Use container setting Dial Access System Configured Seri CEPR x Peaipots E Corp E
28. vorites Tools Help Te gt B fat Saah Ga Favorites EAhHistory E a a a Novell iChain e qe Proxy Services Unregistered copy Web Server Accelerator Authentication j Access Control FTP Management Tunind Home web server accelerators Enable Mame Web server 3 Port Accelerator IP Pot Loggi po J digipass ae 10 0 0 1 jeo fao 0 0 17 e Metvork wy Configure Monitoring 4 Done E EA EEEE SE peen eae T F Internet eii Set Fig 3 Radius will be the Protocol used for Authentication as such a Radius profile needs to be configured Fig 3a 3b gt VAS www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt 2 vi gt THE AUTHENTICATION COMPANY Authentication Authentication profile name radius C Background SSL mutual authentication Client CA should be the same as the serve C LDAP authentication Ee s Prompt for usernamepassword over SSL RADIUS authentication Prompt for usernamepassword over SSL warning Applet window Fig 3a Select authentication then select radius authentication RADIUS Options ed RADIUS server address 10 0 0 4 RADIUS server listening port i645 0 RADIIS shared secret novell F Pp Ls RADIUS server reply time in seconds RADIUS re send time in seconds warning Applek window Fig 3b Configure the IP Address of the Radius Server ip amp SS a a www
29. y in types of companies the same way their applications or services will need to look and feel like VASCO invented Digipasses and other systems to meet these demands AnyWhere AnyTime AnyPlace ae Me ASEE www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt 2 vi gt THE AUTHENTICATION COMPANY Appendix A Delta Airlines Access Examples Authentication Authorization over IChain secured gj https fwww digitalairlines com Microsoft Internet Explorer File Edit wiew Favorites Tools Help Gack 7 E gt fat SA Search sq Favorites EM History Address E https www digitalairlines com Go Security Alert i i You are about to view pages over a secure connection a Any information You echange with this site cannot be viewed by anyone else on the Web T In the future do not show this warning Redirecting to site https fie digitalairlines com E ff ae Me ASEE www vasco com Using Digipass Strong User Authentication with Novell NMAS and L gt vi gt THE AUTHENTICATION COMPANY F https www digitalairlines com Microsoft Internet Explorer Fie Edit View Favorites Tools Help d Back gt fat SA Search Favorites hHistory Security Alert Information You exchange with this site cannot be viewed or changed by others However there ie a problem with the site s security certificate ity The
Download Pdf Manuals
Related Search