23Apr/110

TRUST no one, including the browser

digital-mind

Bypass the browser. You cannot trust it. This is the advice of a SaaS-based cloud authentication service, which claims it can make your existing login (or open-id) process 10 times stronger and more secure using multi-factor authentication. Plus, it's fully PCI-DSS complaint.

PalmTree technologies offers a cloud authentication ‘mashup’ service called LiveEnsure which allows developers to access a remote API in real time and authenticate a user using multiple identity factors including the device, site, session (and user).

This transaction is secured outside the browser in what it calls the ‘smart channel’ using a patent-pending process called Digimetrics.

“This is a breakthrough in authentication algorithms where multiple identity factors are synthesized versus serialized to construct a unique but anonymous one-time identity signature (OTIS),” said PalmTree.

“This signature is unique each time it is computed, but always verifiable. The authentication possibilities are as endless as they are unique to each user. When synthesized, they are unbreakable and unmistakable and the risks of prediction, replay and illicit use are eliminated. This is not lightweight javascript fingerprinting, this is real, strong multi-factor authentication.”

Built on the Java platform, Palmtree states that:

• No private data recorded or transmitted
• Nothing shared or federated
• Nothing to remember or recognize
• Nothing to carry or download

The service API works with any server language and can be integrated into popular platforms such as Drupal, Joomla, WordPress and Sharepoint since no software is needed to proceed including cookies or tokens.

They were recent finalists in the Global Security Challenge, eventually won by CloudSwitch; a company we have covered before in this blog.

We contacted Christian Hessler, CTO, for more information about this technology, which is currently being deployed by various Mobile Wallet solutions, including PayToo Mobile, which has just launched in 35k+ stores in the U.S.

He gave us some great feedback. Here is the unabridged Q & A:


Q & A with Christian Hessler, LiveEnsure CTO

From your perspective, what does CloudSwitch do better than you that allowed it to win the global security challenge in 2010? They appear be more of a cloud appliance vendor which offers bridges between on-premise data centers and publicly provisioned clouds. Are they a competitor?

No, Cloudswitch is not a competitor. It was a completely different product, in the same general category of "cloud security". They deal with virtual machines and encryption, etc.

You site states the Digimetrics technology is patent-pending in 150 countries. When will these patents pass approximately? Any further updates on this?'

Patents are always pending. We are focusing on areas where we do the most business (for cost reasons) and have some new patents being filed this year. The PCT process is long and expensive, as I am sure you know - so stay tuned.

Besides your Digimetrics technology could you explain how you have set up your Data Centers? For instance, do you run any virtualization software in-house which helps drive the SmartAgent process? Do you consume public clouds from Amazon? I am curious as to how you have set up your physical infrastructure including servers, load balancers, firewalls etc.

We are using Amazon's EC2 cloud to deploy in the US and EU at the moment. The infrastructure architecture is proprietary, but it is a fully load balanced, monitored, redundant and HA design. Our model utilizes a Google-like in-memory model for speed, performance and resilience.

Are you in anyway participating in the OATH initiative. If not, why not?

Yes, we are an OATH member. We stay in frequent contact with this group to keep our products aligned with their objectives. We are also affiliated with OWASP and several other groups/initiatives, both open and vendor-based.

From what I can make out the smart channel signature is disposable and no customer data is stored on you servers once the pass or fail signal is provided. Is this correct? Do you keep zero record of the details of the transaction once the user has been authenticated (or denied)?

No, we keep a record of history by session ID, which is a reference to a particular session where a user/device/site and session were authenticated in the context of a Digimetric™ signature. Consumers (our customers) have secure access to their authentication history by session token - which THEY must associate to actually user accounts (we don't keep that data for privacy reasons). We also keep the "impulse response" of the user device in our database after each user registration (unconnected to the real user account in any way - which we don't store) so that when the real user/site/device and session come together, they can be mutually authenticated. Each member of the model (user, site, us) has 1/3 of the puzzle - which is a theoretical advancement beyond traditional 50/50 shared-secret authentication, and the basis for Digimetrics™. Only when all components are in place does authentication commence. Possessing 1/3 or 2/3 of the elements will never be enough to reproduce the whole.

When will BuyEnsure and iPadEnsure be released (your e-commerce products)? Why is it necessary to market these products separately from your core SmartChannel angle? Is this simply a clever marketing angle?

No, it's not a clever marketing angle. The iPhone and iPad versions are available now - and are the core LiveEnsure™ libraries for embedding in apps which obviously cannot dynamically "launch" active content, as you can on the desktop (i.e. Java, ActiveX, etc). All other mobile functionality is server side, as it is on the full agent. We also have J2ME (java) and native libraries for creating your own mobile agent. We are releasing Microsoft-specific agents (Windows7, Sharepoint, RD Gateway) and Android later in 2011.

You appear to have a couple of competitors in this space including One Login and Arcot. One-login for instance offers a Yubico USB-key. I realize your site specifically highlights the benefits of a being true cloud solution with no possibility of stolen dongles etc. but could you highlight your stance to your closest competitors?

See the website for key points of differentiation (specifically the movies) from our competitors. Most of those competitors are actually not true authentication; they are simply OpenID/SAML wrappers for SSO. In addition to offering strong 2FA authentication in a utility/mashup package, we are true Saas Authentication (i.e. nothing downloaded/seeded or embedded on the device like a cookie or hidden binary upon registration), we do NOT rely on the browser/javascript/cookies for fingerprinting (weak) and we do NOT require the user to remember, recall, or carry anything additionally with them (like a physical Yubico USB key) to authenticate. From the recent RSA debacle, you can see the risk, folly and expense of relying upon physical devices - especially ones relying on a particular interface like USB - for large-scale user authentication. We mutually authenticate user/site/device and session, in real-time, across all devices and contexts (not platform specific) and our Digimetric™ process takes "choice" out of the authentication process for both the user and the site (i.e. serialized credential trust or relying on the user to visually trust something).

All of our processing is 100% bespoke and disposable, leaving nothing to reuse or predict on either side. We consider the site/app and the user as peers - i.e. they are of the same trust level for mutual authentication. This eliminates the common imbalance of too much information on the site side and too little on the user. LiveEnsure™ synthesizes multiple factors (can be more then 2, as in 2FA) into a one-time identity signature that is used to validate the authentication "context" of user, site device and session. We also support any and all 3rd party factors (like exiting tokens, passwords, keys, PIN#s, OTP's, etc) in the Digimetric™ mix.

The secure communication happens "outside the browser or app" communication channel, in a separate, triangulated path called the SmartChannel™ that does not rely on the browser cookie, SSL key or socket. The channel steps outside the browser and communicates directly with the LiveEnsure™ cloud, thus avoiding trojans, men in the middle and men in the browser. This "air gapped" model affords the cloud to see things from the user and the site's perspective, guaranteeing validity from both perspectives. In addition, unlike traditional approaches, LiveEnsure™ never sends "key-value" pairs (or questions/answers) together over the same channel, let alone the main web channel. LiveEnsure™ agent and cloud privately and simultaneously computes the Digimetric™ signature and the only thing that goes over the smart channel are do these disposable (one-time) signatures match. Nothing to capture, nothing to reuse or predict.

Finally, LiveEnsure™ is provided as a genuine cloud application (not a traditional application you plug into a cloud app) with no cookies, no tokens, no SMS and no software to download or deploy. It is integrated through a code mashup vs. heavyweight server/database/client-side project, yet does not rely on the browser/javascript to accomplish its goals. Finally, it's purchased on a utility basis - pay as you go or monthly, with no seat licenses, no contracts and no hidden costs. Simply consume security as a utility - pay for what one uses, which is the most efficient way to delivery and consume authentication security.

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

You must be logged in to post a comment.

No trackbacks yet.