By Garret Grajek, CISSP
COO, MultiFactor Corp.
A Deployable X.509 Authentication Solution for Networks and Web Applications
MultiFactor SecureAuth offers the enterprise the unique ability to utilize strong X.509 authentication without costly overhead.
The value of X.509 private/public key authentication is well known to security professionals, but it can be less intuitive to the security novice. In simple terms the X.509 authentication provides an algorithmically proven method for end-users (clients) to confirm that they are communicating with legitimate servers and not attacker sites (See Figure 1). The recent DNS flaw Dan Kaminsky, a well respected security industry expert, made known to the IT world via bug fixes by Cisco, Microsoft and others, makes this type of “left hand side” or client authentication more relevant than ever.
Figure 1 - Clients are vulnerable to attacks that lure them to illegitimate sites instead of the target (destination) site.
An X.509 v3 public/private key pair allows an enterprise to utilize “bi-lateral” (client <-> server) authentication. In this matter, the client confirms the legitimacy of the server, before passing important credentials e.g. account password or transactions like asignature or financial activity. It is exactly this type of bi-lateral authentication that nullifies DNS attacks like the one recently reported.
So why are more enterprises not utilizing X.509 authentication?
(2) Main reasons:
Security personnel have been aware of X.509 bi-lateral authentication since the 90’s. However, cost has prohibited its widespread use (See Figure 2).
Key costs include:
- Hosting a Certificate Authority
- Tracking both the served and revoked certificates
SecureAuth® eliminates the high-cost and complexities of managing X.509 certificates via a “Virtual Certificate Authority”
- Removes the cost of deploying certificate servers
- Removes the cost of tracking deployed/revoking certificates
- Removes the cost of out-of-band (SMS, Telephony) registration systems
- Removes the cost of converting current web servers to C-SSL authentication
SecureAuth® uniquely utilizes a “drop-in” authentication server ,a virtual machine or hardware server, that becomes a trusted resource which is able to:
- Connect to MultiFactor’s hosted C.A., SMS servers, and telephony servers
- Serve up private/public key pairs unique to an enterprise
- Create/install Trusted Root Pairs that map directly to your enterprise
A key to SecureAuth is its ability to utilize the enterprise native data store, allowing it to avoid a costly and insecure replication of data. SecureAuth’s authentication server connects directly to the enterprise's existing data store to create X.509 certificates that map directly to data in the local store (See Figure 3).
Figure 3- The SecureAuth “Authentication Appliance” solution alleviates the cost and complexity of X.509 authentication. (Click to enlarge)
For the enterprise the addition of the SecureAuth authentication component is key. The deploying enterprise configures its web application to trust SecureAuth authentication via .NET Forms for Microsoft authentication, or SAML assertions for non-Microsoft applications. The SecureAuth appliance is factory-configured to securely utilize the MultiFactor hosted certificate, SMS and Telephony services.
The Enterprise is delivered a unique identifier that allows them to securely utilize MultiFactor’s hosted web services. In addition, certificates granted from the web services are embedded with identifiers that are uniquely registered to that enterprise. The identifier is stored in the end-user’s private certificate, in the “OU” field (See Figure 4).
Figure 4- The enterprises is assigned a unique OU that is utilized in both certificate delivery and validation, only enterprise-unique certificates are validated.
This unique ability to issue and validate certificates for an enterprise, without the enterprise ever hosting a certificate server, makes SecureAuth® powerful. SecureAuth® can be deployed in a days which makes it a deployment-must for the enterprise needing a secure solution for their application and network needs.--
Garret Grajek is the COO and a co-founder of MultiFactor Corporation. He is a certified security engineer who has deployed 100s of security solutions while working for RSA, IBM, Cisco and others.