Non Linear Authentication SM

Non Linear Authentication SM

By MSK Security

Version 1.0.20100308

Patent Pending

Prepared by:
Shahram Karimian
Raymond Gallagher

3/9/2010
Page 1 of 12 © Copyright 2010 MSK Security
 Non Linear Authentication SM

Table of Contents
Non Linear Authentication SM ..................................................................1
By MSK Security ..................................................................................1
Version 1.0.20100308.....................................................................1
Patent Pending ..............................................................................1
Table of Contents .................................................................................2
Executive Summary..............................................................................3
Non-Linear Authentication SM..................................................................5
Linear Authentication ......................................................................5
Non-Linear Authentication SM............................................................5
How the MSK Digital IDTM isolates and protects.........................................6
Out of Band Transactional Verification for Banking .................................7
Isolation through HASP ......................................................................8
Data Protection:.............................................................................8
System Protection: .........................................................................8
MSK Digital IDTM Smart Token – .............................................................9
System requirements............................................................................9
Implementation .............................................................................9
Proven technologies and best practices .............................................. 10
Appendix A........................................................................................ 11
How the Security Token communicates ........................................... 11
How the Authentication Server communicates .................................. 11

3/9/2010
Page 2 of 12 © Copyright 2010 MSK Security
 Non Linear Authentication SM

Executive Summary
MSK Security is designed to allow secure logins, transaction verification,
payment processing and Digital Signatures, in a WAN environment and to
remove the possibility of non-authorized activity interfering with these
processes. MSK Security has invented “Non-Linear Authentication SM” (Patent
Pending) and has a proven implementation of it in our (MSK Web
Management 2008 system our 3rd generation management system).

Some of the aspects that come out of MSK Security’s implementation of

“Non-Linear Authentication SM” are Bidirectional Authentication, Two-Factor
Authentication and Out-of-Band Authentication. There has been a lot of
discussion about Multi-factor Authentication but little attention has been
spent on the aspects of authentication. Non-Linear Authentication SM is, in its
own right, a new aspect of authentication and by default exhibits
characteristics from many other techniques. This is due in part by the nature
of Non-Linear Authentication SM and in part to the powerful way in which MSK
Security has implemented it.

Many security systems and techniques have failed not because of security
but because of usability. From the End-Users perspective, using the security
token is no more difficult than the current username/password combination
and in some respects (especially across multiple enabled systems) is
considerably easier.

Two-factor Authentication

There are only three possible factors for authentication, something you know,
something you have and something you are:

1. Something you know such as a Password, Image, Pattern, Answers

to questions are just forms of single-factor authentications.

2. Something you have such as Unique Client Programs, OTP Tokens,

Computer hardware, Smart Cards and Keys would also be
considered single-factor unless you combine it with something you
know. Something you have by its self is still stronger than just
something you know.

3. Something you are (the strongest single factor for authentication)

such as a Finger Print, Retina, DNA, Picture ID from a trusted
source.

3/9/2010
Page 3 of 12 © Copyright 2010 MSK Security
 Non Linear Authentication SM

What are aspects of authentication?

The aspect of authentication is a high level implementation of authentication.

It answers the questions “Who has to authenticate?” “Who is trusted?” “How
are credentials transmitted?” “What factors of authentication are going to be
used?” Almost all websites use single factor unidirectional authentication.

Bidirectional Authentication

Bidirectional authentication is where the service authenticates to the end-

user and the end-user authenticates to the service. This has been
implemented by displaying a secrete pass-phrase or picture on the webpage
after the end-user puts in their username but before they enter their
password. Bidirectional Authentication is an aspect of authentication.

User Server/Service

Out-of-Band Authentication

Out-of-Band Authentication is where part of the communication with a

service is done outside the line of communication. This has been
implemented by sending an email or making a phone call with a password
when the end-user attempts to login. Out-of-Band Authentication is an
aspect of authentication.

User Server/Service

E-mail/Phone

3/9/2010
Page 4 of 12 © Copyright 2010 MSK Security
 Non Linear Authentication SM

Non-Linear Authentication SM
Non-Linear Authentication SM has three players the End-User, the Service or
(an agency’s internal network and business applications) and the
Authentication-Service or (Auth Server). Non-Linear Authentication SM is
where both the End-User and the Service have to authenticate to the Auth
Server. The End-User first picks a Service to login to; the Service then
authenticates itself to the Auth Server; next the End-User authenticates to
the Auth Server; finally the End-User logs in and it is at this point that the
Service checks independently with the Auth Server to see if the End-User has
authenticated. This is also the point at which the End-Users receive their
access rights.

Linear Authentication

User Server/Service

User Authentication Server/Service

server/service

Server/Service1
User Authentication
server/service Server/Service 2

Server/Service 3

Non-Linear Authentication SM

Server
User 1 Out-of-Band
Credentials

Server Server
3 2

Authentication
server/service
Secure
Information

3/9/2010
Page 5 of 12 © Copyright 2010 MSK Security
 Non Linear Authentication SM

How the MSK Digital IDTM Works

All businesses and agencies have sensitive data and must simultaneously
protect it and provide access to it. To effectively do this, a proven system for
user authentication is required. The ideal system provides top-level security
with cost-effective deployment and maintenance as well as ease of use. MSK
offers identity and access management solutions that meet these
requirements. MSK delivers enterprise-grade user authentication that is
more powerful than existing PKI technologies without the complexity,
overhead and risk associated with these solutions that require key
management and storage. To deliver powerful authentication with minimal
overhead, MSK takes the proven two-factor method to a new level of ease of
use and security. MSK also adds another level of security by having users’
authentication done directly between the smart security token and the
authentication server. This direct connection allows the token to have Bi-
directional authentication and Out-of-Band authentication at the same time.

Example: Banking Site Login Bi-Directional

Authentication

First Factor
Something you know
Second Factor
Something you have

Second Factor
If you are not on an
authorized PC

3/9/2010
Page 6 of 12 © Copyright 2010 MSK Security
 Non Linear Authentication SM

Transactional Verification for Banking

Account where funds
are coming from

Amount and where the

funds are going

Payment processing

Digital Signatures

3/9/2010
Page 7 of 12 © Copyright 2010 MSK Security
 Non Linear Authentication SM

HASP (Hardware Against Software Piracy)

MSK Digital ID™ has an optional HASP feature that allows Software on
Demand from a specific machine or a pre determined network of machines;
this guarantees the highest level of controlled access. Users can be limited to
a specific machine or group of machines preventing password sharing. All of
this is accomplished without the need to install cumbersome software or
hardware.

- Provides a better way to meet compliance

- Enables more control over use of service
- Ensures controlled access to sensitive data

From the Point of Authentication:

Data Protection:

Unauthorized Users:
• Phishing
• Man-in-the-Middle
• Key Loggers
• Password Sharing
MSK Security will protect you from all of these attacks.

Insider Threats:
• Audit Trails
• Identity and Access Management
MSK Web Management TM solution includes full audit trails granular to any
machine that attempts to login. The solution includes a single point
provisioning and single click removal or de-provisioning.

System Protection:

Injection attacks:
• SQL-Injection
• Cross-site-scripting
Injections into the Buffer fields like (username and password fields) can
damage a system. MSK removes the buffer fields; this reduction of the
attack surface eliminates injection attacks.

3/9/2010
Page 8 of 12 © Copyright 2010 MSK Security
 Non Linear Authentication SM

MSK Digital IDTM Smart Token –

System requirements
The Security Token runs under Microsoft .NET Framework v1.1.4322 and
above. The .NET Framework is included on Windows XP service pack 2 and is
part of the OS for Windows Vista and Windows 7. The MSK Security Smart
Token requires no installation it is a stand alone executable that will just run
if double clicked. Fully testing has been done on Window 2000, Windows XP,
Windows Vista, Windows 7 and Windows 2003 Server. The Security Token
will recognize Fire Fox 2.0 and earlier; the most common implementation is
under Internet Explorer 5.0 and above this includes the latest version of
Internet Explorer 8.0 Testing has also include MAC computers running
Virtualized versions of the Windows OS.

Implementation

There are two way to implement MSK Digital ID first is our SAAS model
second is a self hosted model. Our SAAS model has only a small a per-set
license. The self hosted model will require a Secure MSK Security
Authentication Server and will require Branded Smart Tokens that will only
communicate with the self hosted Authentication Server. The requirements
of the physical server are Windows 2003 Server other requirement will vary
depending on implementation (Firewalls, Proxies, Monitoring Services,
Secure Hosting Services i.e. SAS 70 Datacenter).

Our SAAS (Software-As-A-Service) model is by far the most robust and is the
far less costly option. Traditional two factor solutions require distribution and
life cycle management of expensive hardware tokens that need to be
synchronized with expensive on premise authentication servers that require
expensive on premise maintenance. Distribution of the MSK Security Smart
Token is quick and easy. The MSK Web Management TM system is included
as part of the service not an extra piece of software that needs to be
installed and maintained or licensed. The optional HASP (Hardware Against
Software Piracy) feature is included as part of the offering. The Smart
Tokens can be married to 1 or more computers preventing them from being
used on non-authorized computers. Scalability is quick and limitless. With
traditional systems this process can be very painful and expensive.

3/9/2010
Page 9 of 12 © Copyright 2010 MSK Security
 Non Linear Authentication SM

Proven technologies and best practices

Proven technologies included with the system are as fallows

• 128-bit SSL (Secure Socket Layer)
• 256 or 512-bit SHA (Secure Hash Algorithm)
• One time only Salted SHA (Random Data added to a Hash to prevent
Rainbow table collision attacks)
• .NET (Managed Software Framework that is keep up-to-date)
• SQL (Structured Query Language) used for high performance data
management
• Windows Server 2003
• SAS 70 Type II Data Center

3/9/2010
Page 10 of 12 © Copyright 2010 MSK Security