ID Vault™

End-to-End, Online
Identity Theft Prevention

Technical Overview
April 2009
White Sky, Inc.
1825 S. Grant St., Suite 250
San Mateo, CA 94402
Phone: 650.286.9440
Fax: 650.286.9273

ID Vault™
End to End Online Identity Theft Prevention

Contents

ID Vault End-to-End Solution ............................................................................................ 3

Usability – Market-Tested User Interface .......................................................................... 4

Client-Server Model ........................................................................................................... 4

Security Architecture .......................................................................................................... 5

Two Factor Authentication ............................................................................................. 5
Installation and Initialization ...................................................................................... 6
PIN Verification.......................................................................................................... 8
Trusted Sites – IP Whitelist .......................................................................................... 11
Secure View Private Browser ....................................................................................... 13

Summary of ID Vault Capabilities ................................................................................... 15

© 2009 White Sky, Inc. All rights reserved. ID Vault is a registered trademark, and the ID Vault logo and White Sky, Inc.
are trademarks of White Sky, Inc. All other trademarks are the property of their respective owners.

White Sky, Inc. Confidential & Proprietary Page 2 of 16

 ID Vault:
End to End Online Identity Theft Prevention
Identity theft and the related financial costs are major issues for consumers and financial
service providers. Javelin Strategies estimates $50 billion in annual US fraud loses based
on consumer research. Online Banking Report estimates 500,000 households have
experienced identity theft. The online component of identity theft and fraud continues to
grow in spite of security suites and enterprise products that offer protection against
specific areas and types of online fraud. In fact, Panda Labs Securiy reports that in a
study of 67 million computers in 2008, 35% of the infected PC’s had up to date anti-virus
software installed. Only ID Vault provides a comprehensive approach to online identity
theft protection – focusing on the security chain from user credential store to legitimate
site access.

ID Vault End-to-End Solution

ID Vault provides an end-to-end online fraud prevention solution that incorporates:

1. Usability experience based on White Sky’s successful hardware product, now

available in a software version for broad consumer deployment

2. Real-time, client-server architecture between the White Sky server and users’
computers for credential store access and IP address database

3. Security architecture using effective, fraud-deterring components:

• Two factor authentication
• IP list of trusted sites
• Secure browsing for online financial and commence sites

Consumer Friendly UI
- Single PIN sign on

- Multi-page log-on

- Encrypted credential Strong Security

store
- Two factor authentication

- Dynamic IP Whitelist

- WCF PIN management

service

Secure Logon - Secure View Private

Browser
- Verifies sites

- Verifies log-on
protocol

White Sky, Inc. Confidential & Proprietary Page 3 of 16

Usability – Market-Tested User Interface

Proven usability promotes user confidence in a product and encourages frequent use.
White Sky’s years of experience with its hardware-based product help ensure that ID
Vault’s user interface behaves like familiar PC-based products -- from install through
daily operation.

From a user’s perspective, ID Vault provides single sign-on access to multiple financial
and retail internet sites which are guaranteed to be legitimate.

Verified legitimate sites: banks,

brokerages, credit unions, credit card
issuers, retail shopping and more

Client-Server Architecture
From a platform perspective, ID Vault conforms to a familiar client-server model.
Operationally, ID Vault provides a simple one-to-many-scenario between the White Sky
server and the user computers:

White Sky
Servers

Users’
Computers

ID Vault User System Requirements

• Windows XP ® or Windows Vista ™
• Internet Explorer ® 6 or higher
• Minimum 600 MHz processor
• Minimum 512 MB Ram
• At least 40 MB free disk space

White Sky, Inc. Confidential & Proprietary Page 4 of 16

Security Architecture

From a security perspective, distinct components support secure data storage, access, and
transmission in the client-server environment:

1. Two factor authentication

2. IP whitelist of trusted sites
3. Secure View Private Browser – White Sky’s implementation of Microsoft’s
Internet Explorer

Two Factor Authentication

Two factor authentication employs two different factors to authenticate a user’s identity –
something you know and something you have. Using two factors instead of a single
factor provides a high level of authentication assurance to a credential vault.

ID Vault’s implementation of two factor authentication is based on:

• Client-server platform that spans the user’s computer and the ID Vault server
• PKI remote authentication and sophisticated challenge-response protocols and
signed messages
• Windows Communication Foundation secure services that protect messaging
between client and server

Windows Communication
Foundation Services
White Sky
Servers
PKI Remote Authentication

ID Vault

The following sections walk through client and server actions as ID Vault is installed,
initialized, and exercised.

White Sky, Inc. Confidential & Proprietary Page 5 of 16

Installation and Initialization: Client Action

When users install ID Vault, they are prompted to enter a PIN and a license code.
The user creates the PIN. The license code is sent to the user via email.

The client machine then generates a client certificate and keys, sets up the security field,
and initiates PIN creation within the ID Vault application.
User enters:
- PIN
- License
code

WCF Services
PINStore

Creates PIN
Create PIN (TokenID, Public Key, PIN)
ID Vault

Encrypted
Credential - Assigns a client certificate
Store
- Assigns a private key
XML - Assigns a public key
Database
- Creates encryption signature

- Sends request to server

via PINStore secure service

- Initializes XML database

Security Comments

1. The certificate assigned to the encrypted credential store binds it to the user’s
computer. The private key – asymmetric, 64 byte -- is stored in the client-resident
XML file. That private key is non-exportable, cannot be extracted, and, therefore, the
certificate cannot be moved to or installed on another computer.

2. PINStore, supported by Windows Communication Foundation (WCF), sends the

request to the server.

WCF is Microsoft’s unified programming model for building service-oriented

applications. Using WCF’s APIs, developers can build secure, reliable, transacted
solutions that integrate across platforms.

In Microsoft’s own words: “At its base, the WCF channel architecture provides
asynchronous, untyped message-passing primitives. Built on top of this base are

White Sky, Inc. Confidential & Proprietary Page 6 of 16

 protocol facilities for secure, reliable, transacted data exchange and broad choice of
transport and encoding options.”

3. The encryption signature is created using a unique identifier (TokenGUID) and signed
with the private key. The signature is used to identify the unique client machine and
verify information passed between the client and server.

4. XML database stores private data encrypted using the strong AES 256 encryption
algorithm. The XML file cannot be used on another machine because certificates
must match before the file can be accessed. The certificate installed on the original
machine will not match the certificate on the second machine causing signature
verification to fail.

Installation and Initialization: Server Response

Responding to the client request, the server creates an entry for the user in the database.

WCF Services
PINStore

Creates PIN
Create PIN (TokenID, Public, PIN)
ID Vault

Encrypted
User’s Record
Credential - Assigns a client certificate
Store - TokenID
- Assigns a private key - Public Key
- PIN
XML - Assigns a public key - Data Key
Database - PIN Counter
- Creates encryption signature

- Sends request to server

via PINStore secure service

- Initializes XML database

Security Comments

1. The user record – identifies the user as unique by a primary key and list of attributes:

• TokenID – the primary key

• Public Key – associated with the client certificate
• PIN – specified by the user
• Data Key – generated by the server and encrypted using the public key passed to it
by the client. This Data Key provides strong security during verification as it is:

White Sky, Inc. Confidential & Proprietary Page 7 of 16

 • First encrypted on the server with the public key
• Subsequently decrypted on the client with the private key
This second layer of security ensures that if the Data Key is stolen from the server it
cannot be used on another computer because private keys will not match.
For example, if a user attempts to use the XML file from the original client on
another machine, signature verification will prevent any opportunity to exploit the
file. If – through nefarious means -- signature verification succeeds in such a
situation, the Data Key double encryption, requiring use of the public key on the
server and then the private key on the original client, protects the XML file.

• PIN Counter – specifies that 4 attempts can be made to enter the correct key. This
protects the user against dictionary attacks by criminals. ID Vault specifies a 4 to
8 digit PIN to access the credential store.

2. WCF/server certificate is preconfigured – Equifax signed 1024 bit -- and stored in the
server prior to deploying ID Vault.

PIN Verification: Client Challenge

After ID Vault has been installed and initialized, the user can add credentials and access
specified sites. PIN verification is managed via remote PKI authentication challenge-
response protocol across the client-server platform.

When the user enters a PIN, the client sends a request to the server for verification.
User
enters
PIN WCF Services
PINStore

Verifies PIN
Get DATAKEY (TokenID, Signature, PIN)
ID Vault

Encrypted
Credential - Sends signature
Store for verification

XML
Database

White Sky, Inc. Confidential & Proprietary Page 8 of 16

Security Comments

1. The signature sent to the server is used to verify the client identity and the PIN.

2. If the user fails to enter the correct pin by the fourth attempt, the PIN is locked and the
encrypted credentials store is deleted.

The user is prompted to create a new PIN. All information the user has previously
provided is lost and must be re-entered.

PIN Verification: Server Response

When the server receives the request to verify the PIN, the user’s record, previously
stored in the server database is accessed.

WCF Services
PINStore

Sends encrypted Data Key

ID Vault

Encrypted - Sends signature - Access user’s record in

Credential database
Store for verification
- Use public key to decrypt
XML
signature
Database
- If verification is successful
send encrypted Data Key to
client

Security Comments

1. The signature sent to the server is decrypted with the public key that was stored
during initialization.

2. The server returns the encryption key - Data Key - only if signature verification
succeeds.

White Sky, Inc. Confidential & Proprietary Page 9 of 16

PIN Verification: Client Response

The client provides a second layer of security when the Data Key is returned.

WCF Services
PINStore

Sends encrypted Data Key

ID Vault

Encrypted
Credential - Uses private key to decrypt - Access user’s record in
Store Data Key database

- Uses decrypted Data Key to - Use public key to decrypt

XML
access encrypted data in signature
Database
XML file
- If verification is successful.
send encrypted Data Key to
client

Security Comments

1. The client decrypts the Data Key using the private key – which is non-exportable and
bound to that machine. This second decryption of the Data Key represents the
double layer of security that protects the Data Key from being accessed…and
therefore protects data stored in the XML file.

2. The Data Key is then used to access encrypted data in the XML file, which uses the
strong AES 256 algorithm.

White Sky, Inc. Confidential & Proprietary Page 10 of 16

Trusted Sites – IP Whitelist
ID Vault monitors around 8,000 financial institution sites – banks, credit unions,
brokerages, credit card issuers and 700 shopping sites – to ensure sites are legitimate and
are not hacker-built imposter sites.

When the user wants to access a site, the client checks the IP whitelist against previously
verified information.

- IP address is verified
ID Vault
- Sign-on procedure is verified
Encrypted
Credential - Secure View Private Browser is
Store
invoked

XML - Credentials are sent to verified

Database site or user is alerted of
verification failure

Security Comments

1. Remote servers located in several locations monitor sites by:

• Validating IP addresses – matching current addresses with known addresses stored

in the XML database
• Validating sign-on procedures

If verification fails, ID Vault displays a message warning the user that the site could
not be verified.

2. Sites are checked daily for changes that affect the white list. Typically financial
institutions change IP addresses after midnight on Sunday; approximately 2-3%
change every week. Sites such as PayPal and American Express change their
addresses randomly and frequently.

To
prevent
certain
types
of
Man‐in‐the‐middle
attacks,
the
ID
Vault
IP
whitelist
utilizes

HTTPS
landing
pages
where
possible.

This
make
ID
Vault
users
immune
from
certain

types
of
attacks
that
involve
misdirecting
the
domain
name
or
IP
address
such
as
the

Moxie
attack.
For
more
information
on
how
ID
Vault
can
prevent
network
based
attacks,


White Sky, Inc. Confidential & Proprietary Page 11 of 16

please
refer
to
the
White
Sky
white
paper
entitled
“
Analysis
of
White
Sky’s
ID
Vault

defense
against
the
Moxie
attack”.


White Sky, Inc. Confidential & Proprietary Page 12 of 16

Secure View Private Browser
Secure View Private Browser protects users from browser-based threats that exploit the
vulnerabilities of Internet Explorer Browser extensions.

When a user invokes ID Vault to access online financial and retail sites, Secure View is
invoked, instead of Internet Explorer. Secure View is specifically designed to provide
enhanced security for users accessing the financial sites they frequent.

ID Vault

Secure View
Private Browser

Internet
Explorer

Because Secure View protects users by limiting some of Internet Explorer’s capabilities,
it does not replace IE for general web browsing.

Browser-Based Attacks

Users browsing the Internet via Internet Explorer are vulnerable man-in-the-browser
programs which:

• Can be installed – undetected – on a user’s computer

• Silently monitor users’ browsing activity
• Identify user credential submissions
• Pass decrypted credentials to hacker web sites
• Include keystroke loggers, browser plug-ins, and other malicious programs that
compromise users’ security

Man-in-the-browser attacks occur when malware browser extensions are installed on

client computers during standard user activities. Internet Explorer Browser Extensions
are ideal vehicles for these attacks because all extensions are attached – plugged-in – to
the IExplore.exe executable. Malicious extensions can exist alongside legitimate browser
extensions, such as menu extensions or toolbars. Because malicious extensions are

White Sky, Inc. Confidential & Proprietary Page 13 of 16

attached to the IExplore.exe executable, they are active for every web page visited by the
infected computer.

An example of a man-in-the-browser attack is malware Browser Helper Object (BHO).

This program monitors user browsing and looks for a web page that contains a password
field. When such a page is detected and the user enters a password, the malware BHO
sends the decrypted password and associated web URL to a hacker site.

Secure View Architecture

SecureView.exe works with Internet Explorer browser extensions by:

1. Replacing the IE extensions IExplore.exe and BrowseUI.dll

2. Communicating directly with ShDocVw.dll and MSHTML.dll

Internet Explorer Secure View Private Browser

IExplore.exe SecureView.exe
Internet Explorer Application Private Viewer

ShDocVw.dll BrowseUI.dll ShDocVw.dll

Web Browser User Web Browser
Control Interface Control

MSHTML.dll MSHTML.dll
Trident Trident
HTML/CSS Parser and Renderer HTML/CSS Parser and Renderer
Document Object Model (DOM) and Document Object Model (DOM) and
DHTML DHTML
Active Document (DocObject) Active Document (DocObject)

URLMon.dll URLMon.dll
Security and Download Security and Download

WinInet.dll WinInet.dll
HTTP and Cache HTTP and Cache

SecureView.exe does not support IExplore.exe Browser Extension types, such as toolbars
or BHOs. Therefore, if a user’s machine is infected with multiple browser extension-
based malware programs, Secure View sessions are invulnerable to attack by these
programs.

Note that replacing extensions also affects legitimate browser extensions, such as toolbars
or menu shortcuts which the user expects to see. Those features are not available in a
Secure View session. Therefore, the Secure View Private Browser is accessed only when
the user invokes ID Vault for financial site log-on.

White Sky, Inc. Confidential & Proprietary Page 14 of 16

Summary of ID Vault Capabilities

ID Vault’s end-to-end solution implements specific security capabilities that protect users
from online fraud.

Two Factor Authentication

Requiring no additional hardware, two factor authentication is implemented across the
client-server platform:

• Encrypted credential store (software token) is bound to a single computer and

cannot be moved to another computer
• XML data are encrypted via strong AES 256 algorithm
• PIN verification uses PKI remote authentication, challenge and response protocols
• WCF secure services protect messaging activity
• ATM-like PIN access – 4 attempts allows before user is blocked, thwarting
dictionary attacks

IP Whitelist
ID Vault verifies the sites that users access are legitimate:

• Verify IP address of site

• Verify sign-on protocol of site
• Log-on without revealing credentials

Secure View Private Browser

ID Vault uses Secure View sessions that:

• Look like Internet Explorer session to web site provides

• Are fully Secure Sockets Layer (SSL) compliant
• Are fully compliant with all installed Content Extensions, such as Active X plug-
ins, to support Flash and Adobe Acrobat content
• Does not require keystrokes to enter log-in credentials
• Does not display log-in screens
• Are based on technology that tracks and conforms to changes and updates made
to Internet Explorer

Types of Fraud Deterred

Although online criminals continue to innovate, ID Vault protects against the most
prevalent and effective online fraud methods including:

• Dictionary attacks – a technique for determining a decryption key or password by

searching possibilities that are most likely to succeed, typically derived from a list

White Sky, Inc. Confidential & Proprietary Page 15 of 16

 of words in a dictionary. Generally, these attacks succeed because many people
choose passwords which are less than 8 characters, single words in a dictionary,
or are simple, preditable variations such as appending a single digit to a word. In
addition these attacks succeed because there is no limit on the number of attempts
an attacker can make of the password or PIN.

• Man-in-the browser attacks, including the Moxie attack – the perpetrator installs
an undetected malware program on a victim's computer. This program is capable
of capturing and/or modifying that user's Internet transactions as they occur. Due
to the sophisticated technology required to succeed, use of this tactic has
generally been limited to financial fraud where the reward can be great.

• Phishing – is an attempt to obtain access to credentials such as user name and

passwords – usually by email – by posing as an authentic or familiar entity such
as a bank, social network, or other known institution.

• Pharming – is an attempt to redirect a website's traffic to a bogus website.

Pharming occurs by either changing the hosts file on a victim’s computer or by
exploiting the Domain Name Server (DNS) which is responsible for resolving
Internet names into their real addresses.

• Keystroke logging – is a method of capturing and recording user keystrokes or

mouse operations.

• Screen capture – is a method of recording the visible items displayed on the

monitor or other visual output device of a computer

White Sky, Inc. Confidential & Proprietary Page 16 of 16