Académique Documents
Professionnel Documents
Culture Documents
End-to-End, Online
Identity Theft Prevention
Technical Overview
April 2009
White Sky, Inc.
1825 S. Grant St., Suite 250
San Mateo, CA 94402
Phone: 650.286.9440
Fax: 650.286.9273
ID Vault™
End to End Online Identity Theft Prevention
Contents
© 2009 White Sky, Inc. All rights reserved. ID Vault is a registered trademark, and the ID Vault logo and White Sky, Inc.
are trademarks of White Sky, Inc. All other trademarks are the property of their respective owners.
2. Real-time, client-server architecture between the White Sky server and users’
computers for credential store access and IP address database
Consumer Friendly UI
- Single PIN sign on
- Multi-page log-on
- Dynamic IP Whitelist
- Verifies log-on
protocol
Proven usability promotes user confidence in a product and encourages frequent use.
White Sky’s years of experience with its hardware-based product help ensure that ID
Vault’s user interface behaves like familiar PC-based products -- from install through
daily operation.
From a user’s perspective, ID Vault provides single sign-on access to multiple financial
and retail internet sites which are guaranteed to be legitimate.
Client-Server Architecture
From a platform perspective, ID Vault conforms to a familiar client-server model.
Operationally, ID Vault provides a simple one-to-many-scenario between the White Sky
server and the user computers:
White Sky
Servers
Users’
Computers
From a security perspective, distinct components support secure data storage, access, and
transmission in the client-server environment:
Two factor authentication employs two different factors to authenticate a user’s identity –
something you know and something you have. Using two factors instead of a single
factor provides a high level of authentication assurance to a credential vault.
Windows Communication
Foundation Services
White Sky
Servers
PKI Remote Authentication
ID Vault
The following sections walk through client and server actions as ID Vault is installed,
initialized, and exercised.
When users install ID Vault, they are prompted to enter a PIN and a license code.
The user creates the PIN. The license code is sent to the user via email.
The client machine then generates a client certificate and keys, sets up the security field,
and initiates PIN creation within the ID Vault application.
User enters:
- PIN
- License
code
WCF Services
PINStore
Creates PIN
Create PIN (TokenID, Public Key, PIN)
ID Vault
Encrypted
Credential - Assigns a client certificate
Store
- Assigns a private key
XML - Assigns a public key
Database
- Creates encryption signature
Security Comments
1. The certificate assigned to the encrypted credential store binds it to the user’s
computer. The private key – asymmetric, 64 byte -- is stored in the client-resident
XML file. That private key is non-exportable, cannot be extracted, and, therefore, the
certificate cannot be moved to or installed on another computer.
In Microsoft’s own words: “At its base, the WCF channel architecture provides
asynchronous, untyped message-passing primitives. Built on top of this base are
3. The encryption signature is created using a unique identifier (TokenGUID) and signed
with the private key. The signature is used to identify the unique client machine and
verify information passed between the client and server.
4. XML database stores private data encrypted using the strong AES 256 encryption
algorithm. The XML file cannot be used on another machine because certificates
must match before the file can be accessed. The certificate installed on the original
machine will not match the certificate on the second machine causing signature
verification to fail.
Responding to the client request, the server creates an entry for the user in the database.
WCF Services
PINStore
Creates PIN
Create PIN (TokenID, Public, PIN)
ID Vault
Encrypted
User’s Record
Credential - Assigns a client certificate
Store - TokenID
- Assigns a private key - Public Key
- PIN
XML - Assigns a public key - Data Key
Database - PIN Counter
- Creates encryption signature
Security Comments
1. The user record – identifies the user as unique by a primary key and list of attributes:
• PIN Counter – specifies that 4 attempts can be made to enter the correct key. This
protects the user against dictionary attacks by criminals. ID Vault specifies a 4 to
8 digit PIN to access the credential store.
2. WCF/server certificate is preconfigured – Equifax signed 1024 bit -- and stored in the
server prior to deploying ID Vault.
After ID Vault has been installed and initialized, the user can add credentials and access
specified sites. PIN verification is managed via remote PKI authentication challenge-
response protocol across the client-server platform.
When the user enters a PIN, the client sends a request to the server for verification.
User
enters
PIN WCF Services
PINStore
Verifies PIN
Get DATAKEY (TokenID, Signature, PIN)
ID Vault
Encrypted
Credential - Sends signature
Store for verification
XML
Database
1. The signature sent to the server is used to verify the client identity and the PIN.
2. If the user fails to enter the correct pin by the fourth attempt, the PIN is locked and the
encrypted credentials store is deleted.
The user is prompted to create a new PIN. All information the user has previously
provided is lost and must be re-entered.
When the server receives the request to verify the PIN, the user’s record, previously
stored in the server database is accessed.
WCF Services
PINStore
ID Vault
Security Comments
1. The signature sent to the server is decrypted with the public key that was stored
during initialization.
2. The server returns the encryption key - Data Key - only if signature verification
succeeds.
The client provides a second layer of security when the Data Key is returned.
WCF Services
PINStore
ID Vault
Encrypted
Credential - Uses private key to decrypt - Access user’s record in
Store Data Key database
Security Comments
1. The client decrypts the Data Key using the private key – which is non-exportable and
bound to that machine. This second decryption of the Data Key represents the
double layer of security that protects the Data Key from being accessed…and
therefore protects data stored in the XML file.
2. The Data Key is then used to access encrypted data in the XML file, which uses the
strong AES 256 algorithm.
When the user wants to access a site, the client checks the IP whitelist against previously
verified information.
- IP address is verified
ID Vault
- Sign-on procedure is verified
Encrypted
Credential - Secure View Private Browser is
Store
invoked
Security Comments
If verification fails, ID Vault displays a message warning the user that the site could
not be verified.
2. Sites are checked daily for changes that affect the white list. Typically financial
institutions change IP addresses after midnight on Sunday; approximately 2-3%
change every week. Sites such as PayPal and American Express change their
addresses randomly and frequently.
To
prevent
certain
types
of
Man‐in‐the‐middle
attacks,
the
ID
Vault
IP
whitelist
utilizes
HTTPS
landing
pages
where
possible.
This
make
ID
Vault
users
immune
from
certain
types
of
attacks
that
involve
misdirecting
the
domain
name
or
IP
address
such
as
the
Moxie
attack.
For
more
information
on
how
ID
Vault
can
prevent
network
based
attacks,
When a user invokes ID Vault to access online financial and retail sites, Secure View is
invoked, instead of Internet Explorer. Secure View is specifically designed to provide
enhanced security for users accessing the financial sites they frequent.
ID Vault
Secure View
Private Browser
Internet
Explorer
Because Secure View protects users by limiting some of Internet Explorer’s capabilities,
it does not replace IE for general web browsing.
Browser-Based Attacks
Users browsing the Internet via Internet Explorer are vulnerable man-in-the-browser
programs which:
IExplore.exe SecureView.exe
Internet Explorer Application Private Viewer
MSHTML.dll MSHTML.dll
Trident Trident
HTML/CSS Parser and Renderer HTML/CSS Parser and Renderer
Document Object Model (DOM) and Document Object Model (DOM) and
DHTML DHTML
Active Document (DocObject) Active Document (DocObject)
URLMon.dll URLMon.dll
Security and Download Security and Download
WinInet.dll WinInet.dll
HTTP and Cache HTTP and Cache
SecureView.exe does not support IExplore.exe Browser Extension types, such as toolbars
or BHOs. Therefore, if a user’s machine is infected with multiple browser extension-
based malware programs, Secure View sessions are invulnerable to attack by these
programs.
Note that replacing extensions also affects legitimate browser extensions, such as toolbars
or menu shortcuts which the user expects to see. Those features are not available in a
Secure View session. Therefore, the Secure View Private Browser is accessed only when
the user invokes ID Vault for financial site log-on.
ID Vault’s end-to-end solution implements specific security capabilities that protect users
from online fraud.
IP Whitelist
ID Vault verifies the sites that users access are legitimate:
• Man-in-the browser attacks, including the Moxie attack – the perpetrator installs
an undetected malware program on a victim's computer. This program is capable
of capturing and/or modifying that user's Internet transactions as they occur. Due
to the sophisticated technology required to succeed, use of this tactic has
generally been limited to financial fraud where the reward can be great.