The following sections describe how SecureLogin uses smart cards.
SecureLogin uses a store-and-forward approach to SSO credentials, and records user IDs and passwords in this store. It is likely that many, if not all, of an individual user's passwords will be stored in this credential store. Given this architecture, the security of SecureLogin credential store is extremely important.
When a smart card is used in conjunction with SecureLogin, a number of new features can be optionally implemented to increase security. Some of them are:
SecureLogin uses a two-tier encryption process to secure users sensitive credentials and information. All user passwords are encrypted using the user key, and all user data, including password fields, are encrypted using the master key.
The result is a two-tier encryption, where password values are encrypted twice: once with the user key and once with the master key, while all other data is encrypted once with master key.
Using SecureLogin in conjunction with a smart card provides an additional level of security because the key used to decrypt data is stored on the smart card, and authentication is through two-factor authentication: smart card and PIN. If the you select the option , the users must insert their smart card and enter their PIN for SecureLogin to load.
The following sections explain the strong authentication methods used in SecureLogin.
You can use the SecureLogin AAVerify command can be used to enforce strong security on applications and functions that are unable to do so natively. Use the command in conjunction with SecureLogin Advanced Authentication or Novell Modular Authentication Services (NMAS™) to enforce strong authentication by requiring a smart card to log in to applications.
For more information on, see Section 7.4, Application Re-authentication.
This version of SecureLogin integrates with ActivCard’s One Time Password authentication functionality and provides you access to the application definition command GenerateOTP, which can be used to generate synchronous authentication and asynchronous authentication soft token support for smart card user authentication.
For more information, see Section 7.1.5, One-Time Password.
Network authentication is the verification of a user's login credentials before granting access to a network or operating system. Users typically authenticate to a network using one of the following methods:
When the user authenticates successfully and the operating system has loaded, SecureLogin starts and manages the login credentials to all the user's SSO-enabled applications.
If you want to enforce biometric, smart card, or token authentication at the application (or transaction) level, Secure Login Advanced Authentication or NMAS can be integrated with SecureLogin to prompt the user to re-authenticate before SecureLogin retrieves their credentials and logs Sin to SSO enabled applications.
Network authentication methods can also be integrated with SecureLogin to manage a user's Windows log on credentials.The authentication methods retrieve user’s Windows user name and password from the smart card and automatically enters these into the Windows Graphical Identification and Authorization (GINA) interface when the users enters a PIN.
Stronger application re-authentication methods such as Secure Login Advanced Authentication and NMAS can also be integrated with SecureLogin to provide additional smart card and PIN re-authentication to SSO-enabled applications.
To do this, enable the option and configure the re-authentication method.
For information about configuring SecureLogin to re-authenticate and application, see Section 9.0, Reauthenticating Applications.
A one-time password is an authentication method specifically designed to avoid the security exposures inherited with traditional fixed and static password usage.
One-time passwords rely upon a pre-defined relationship between the user and an authenticating server. The encryption key is shared between the user's token generator (which can be a token or one-time password-enabled smart card) and the server, with each performing the pseudo-random code calculation at user logon. If the codes match, the user is authenticated.
The main benefit of one-time password systems is that it is impossible for a password to be captured on the wire and replayed to the server. This is particularly important if a system does not encrypt the password when it is sent to the server, as is the case with many legacy Mainframe systems.
SecureLogin now uses an application definition (script) command to provide access to the GenerateOTP command, which can be used to generate synchronous and asynchronous authentication soft token support for smart card user authentication as well as hard token support for Vasco Digipass token generator.
For more information on one-time password functionality, refer
to One
Time Passwords
in the Novell
SecureLogin 6.0 SP1 Application Definition Guide.