With WebFort, Arcot provides a mechanism for authenticating to any web-based system, which can be a B2B extranet, a portal or a financial system, using an approach that is virtually as secure as a hardware token-based (for example, smartcard) system, yet is entirely software based and therefore more cost effective.

Arcot has patented the underlying technology, which it calls Crytographic Camouflage. This addresses the problem of securely encrypting private keys for storage using software. The alternative would be the much more expensive tamper-proof hardware token, such as a smartcard.

The problem with encrypting private keys for storage on disk, for example, is that it is not that difficult to mount an exhaustive key search attack. You might imagine that private keys would be random binary numbers so that there would be no way to test whether each guess at the PIN protecting the private key had resulted in a valid private key. However, private keys have a very specific structure. They are always odd numbers that are not divisible by small primes, so it would be quite easy to test whether you had hit on a valid-looking private key.

What Arcot has done with its Cryptographic Camouflage technology is to develop a special encryption algorithm that, on decryption, frequently returns something that looks like a valid private key, even if the wrong PIN has been entered. Thus Cryptographic Camouflage generates what seems like a plausible private key in response to a wrong PIN. The hacker thinks he has struck lucky but when he tries the fake key, he is barred.

This means that if an attacker actually manages to steal an ID, stored for example on a floppy disk, they may try to hack this ID by trying every possible PIN or password. However, the ArcotID is too clever and the attacker ends up with too many right answers!

It would be obvious to the hacker what was happening if every wrong PIN delivered a valid-looking private key, so to avoid giving the game away, in the case where WebFort has been designed to work with six-digit PINs, it will return a valid-looking private key one percent of the times a random PIN is entered. So, with 1,000,000 possible PINs an exhaustive key search will result in 10,000 valid-looking private keys. Most hackers would use the first that looked valid and look no further.

Rather than using a complex mechanism to alert users that they have entered an incorrect password or PIN, the Arcot WebFort system lulls attackers into a false sense of success. They may think that they have cracked the private key by entering multiple PINs and viewing the results. However, if they try to use the fake private key that they have found, the system detects the incorrect code, rejects their login and suspends the ID they have tried to use.

The WebFort system is also independent of PC or device. This means that a user can be authenticated from any PC, PDA and mobile phone. This is because the ArcotID has a very small footprint of approx 2Kb - much smaller than the equivalent hardware or device drivers needed to provide a similar level of protection. The ArcotID is a secure software container that offers the tamper resistance of a smartcard, but with the cost and administrative advantages of a software solution.

One advantage over other systems is that WebFort supports roaming users because of these minimal requirements. Traditionally digital certificates and smartcards tie users to a device, whereas the Arcot system enables users to authenticate from any system convenient to them.

The software is not only limited to authentication but can also be used for non-repudiation, meaning that users can digitally sign emails and transactions because it is certificate based. Adding this capability to a web site is fairly straightforward, requiring only the addition of a few lines of Java script to request the client to sign the transaction. If a user doesn't have the client installed when it is required, the WebFort server can be configured to download the required plug-ins to the installed browser automatically.

Although the system is PKI based, the PKI implementation is completely transparent and requires no prior knowledge or experience of PKI to install. To users it is as easy as security based on username and password. Alternatively, a custom interface that resembles a bank ATM machine can be presented to the user.

Arcot WebFort is based on common PKI standards so you'll need a certificate authority (CA) to issue users' credentials. If you haven't standardized on a CA yet then one is provided in the box based on the OpenSSL software. Installation of the Arcot server software, the CA and the database required to track IDs was straightforward once Windows NT had been patched to the required service pack (SP4). The server software can also run on Sun Solaris. The clients can be running any operating system that supports a browser - so this includes Windows, Mac, Linux, UNIX, PocketPC and PDAs.

The system is quick to install and manage. While the install interface is intuitive, a thorough read of the manual is recommended to understand the set up. Users can be added individually though a browser interface or a bulk load option if you have large numbers of users to deploy. Exports from databases may be used and once formatted into standard text can add hundreds of users in a short space of time, complete with either server- or client-side private-key generation. Some organizations may insist on the latter option to ensure that non-repudiation can be enforced, but this will depend on your own particular digital signature policy.

Arcot's WebFort is the closest you can get to securing your private key in software without having to move to an expensive hardware implementation. The software solution provides the same level of authentication as traditional two-factor authentication but falls short in that it can be copied more easily. In that respect it is as secure as a bank card with a magnetic stripe (which is also easily copied) and a PIN. However, most hardware tokens, such as smartcards and USB tokens cannot be copied easily, and so are potentially more secure albeit at a much higher cost. Dependent on volume, the cost of WebFort can work out to as little as $5 per user per year.
  

SC On-Line
SC Magazine
www.scmagazine.com