Single SignOn replaces Passwords

Passwords are a nuisance. They are too short, too fixed, and must be entered over and over again. They are even stored on insecure systems. Single SignOn solutions founded in cryptography make it secure to login repeatedly, after entering a secret only once!

Issues to consider

Fixed secrets can be tapped from unencrypted points in any communications channel. For encrypted connections, the end points are still points where this can be done. Fixed secrets should not be used to access remote systems.

Public key crypto makes the authentication between a client and server differ every time. As a result, you can safely use the same public key to authenticate to many systems.

Network protocols can often employ public key crypto, but this must be explicitly required in most cases.

Hardware tokens are light and small engines that totally encapsulate public key crypto; use these if you need to carry your credentials around.

Solution 1: Wrap it in a Secure Shell

The Secure Shell is a Network Protocol that has been standardised for the Internet, and that is consequently available from different providers. Public key authentication is possible with these products, making this a true Single SignOn protocols.

Client-side key management is worth setting up, even though it is a bit tricky to do. With our

Shaman agent, it is possible to use a cryptographic token to encapsulate all Public key crypto. All that is needed is a token with a complete PKCS #11 interface.

Shaman for Windows works smoothly with WinSCP and PuTTY, or any other tool that uses the Pageant protocol. It can also be used to encapsulate arbitrary TCP/IP connections, such as for mail reading and database access. It provides a little icon in the bottom bar, from which a menu with user-defined connections pops up.

Shaman for Linux works smoothly with OpenSSH's ssh/sftp/scp commands, and anything that builds on it, including cvs, rsync and darcs. You do need a token with a working PKCS #11 library.

Shaman for Mac OS X is currently not available, but do let us know if you need it for a group of users.

Solution 2: Use SSL connections

Another standard Network Protocol that can wrap arbitrary TCP/IP connections is SSL. It has a turbulent history, so we advise using the Secure Shell where possible.

The most common application of SSL is a secure website. Others are secure mail reading protocols. The server side always presents a certificate to authenticate itself. Adding authentication with client certificates can also turn SSL into a true Single SignOn solution.

Server Certificates are necessary so the client knows it is authenticating to a trusted site. By their nature, SSL certificates must be renewed regularly.

Login Tokens are client certificates that we can create for our customers and yours; This is usually much cheaper than anything you can build yourself! You may also want to check compatibility with your current browser. Note that IIS is not sufficiently standards-compliant to recognise Login tokens.

ePass2000 tokens totally encapsulate the Public key crypto for SSL client certificates. The credentials stored on them cannot be copied with any reasonable amount of work. The tokens plug into USB and they are protected with a PIN.

ePass1000 tokens store the credentials for Public key crypto for SSL client certificates. They are not as secure as the ePass2000 tokens, but on Windows they can provide SSL service to browsers and other token-aware software. The tokens plug into USB and they are protected with a PIN.

Token Return Labels can be helpful when you are prone to loosing your tokens.

More...

The following extension to this order is only needed if you have not arranged it yet:

The names of the products presented on this page are trademarks of OpenFortress