SAN MATEO (03/06/2000) - Many challenges face those trying to provide strong, two-factor security authentication to users accessing sensitive information via the Internet. The most popular solutions today for two-factor authentication (which is based on something you have and something you know) are SecureID or smart cards. But these require expensive hardware tokens to be distributed to users.
A much simpler and less expensive way to provide authentication is via software, and that's where WebFort, from Arcot Systems Inc., comes into the picture. WebFort is a new software-based technology that provides cost-effective two-factor authentication via the Web, and is ideal for securing e-commerce. For highly sensitive intranet applications, you might still want to use hardware authentication, but for Web applications WebFort is a great choice that can fit almost any architecture. I'm very enthusiastic about WebFort's capability of serving this security need, and its potential looks terrific; I give it a score of Excellent.
Arcot's new technology, Cryptographic Camouflage, is the key component of WebFort and protects a user's private key, the "key to the kingdom" in the world of PKI (public key infrastructure). Normally an encrypted message can be decrypted by exhaustively searching the key space. When the result is a readable message, the correct key has been found. Cryptographic Camouflage confuses this scenario by having a readable message result from any key in the key space. Thus hackers must attempt to access the system with the key before knowing if it is the correct one. This unique approach sounds, in theory, more secure than current cryptographic implementations. Time will tell if this holds up in practice.
WebFort can be integrated with any of the major CA (certificate authority) products and ODBC-compliant databases on the market. Two-factor authentication is provided through a user-selected PIN (personal identification number) and an ArcotCard software token. The ArcotCard stores the user's private key and an X.509 Version 3 digital certificate. The private key is encrypted by the PIN.
There are three main components of WebFort: the Personalization Station, the WebFort Server, and the WebFort Proxy. The Personalization Station comprises several services. The main function of the Personalization Station is to provide the administrative interface used to create and administer ArcotCards.
This Web interface is very elegant and easy to use. The Personalization Station also contains the Roaming Service, which is arguably the best part of WebFort.
The Roaming Service allows users to access their ArcotCards from any machine connected to the Internet.
If the administrator enables roaming, the ArcotCard is retrieved from the Roaming Server each time the user accesses the system. If roaming is not enabled, the user downloads the ArcotCard onto the local machine and uses it there. The Personalization Station also contains the Broadcast Service, which lets multiple WebFort servers communicate with each other, and the Registration Authority (RA), which allows WebFort to talk to the CA.
The second main component, the WebFort Server, contains the Authentication Server. This server processes all authentication requests and logs all events in case past transactions need to be reviewed. The WebFort Server also contains the Web Server filter, which allows a Web server to use WebFort for authentication. WebFort currently supports Microsoft Internet Information Server (IIS) and Netscape Enterprise Server. The WebFort Server also contains the Access Control Server, which can specify which URLs each user can access and store this information in the Access Control List database.
The third main component, the WebFort Proxy, contains the Authentication Proxy.
This proxy redirects requests to the Authentication Server and allows extranet partners or other business locations access to the Authentication Server.
I looked at WebFort running with Microsoft's Certificate Server and Access Database. I found the installation procedure to be very quick and simple. I created several cards, enabling roaming on some, and used the cards to access Web sites.
I would recommend this product to someone looking to implement strong authentication via the Web. WebFort is very scalable, cost efficient, and flexible; it can be modified to fit almost any architecture.
If you are authenticating users via an intranet and are protecting highly sensitive or confidential information, I would suggest staying with the more time-tested hardware solution. But at a starting price of $15,000 with few additional costs, WebFort is a great way to start securing those Web applications. I rate its value as excellent.
Mandy Andress is director of information security at Privada.net, a privacy infrastructure provider. She can be reached at email@example.com.
THE BOTTOM LINE: EXCELLENT
WebFort, Version 2.0
Business Case: WebFort provides a unique and cost-effective way to incorporate strong authentication via the Internet, making it a great solution for e-commerce applications.
Technology Case: WebFort's new technology provides high flexibility and ease of use that make it a great alternative to hardware-based authentication. It supports numerous certificate servers, as well as RSA and DSS (Directory and Security Services) digital signatures.
+ Flexible architecture
+ Easy to deploy and administer
- None significant
Cost: $15 per ArcotCard, with a minimum license of 1,000 users. Cost falls to as low as $2 per ArcotCard as the number of users increases.
Platform(s): Clients: Windows 9x, Windows NT 4.0, Solaris, Mac OS 8, Linux; Servers: NT 4.0, Solaris; Web servers: Microsoft IIS, Netscape Enterprise Server 3.x, Apache 1.3.
Arcot Systems Inc., Palo Alto, Calif.; (650) 470-8200; www.arcot.com.