|
|
|
|
|
|
|
|
  |
 |
 |
 |
 |
 |
 |
DynaPass - Wireless Secure Access
Do you know, for sure, who is accessing your databases and your private information?
Do you really know it is YOU alone - physically - that is 'logging in' to your system with your private keycode? Or could it be someone else that has knowledge of your key?
How to verify and guarantee that YOU - in any situation - are YOU?
Imagine if there was a key you cannot lose, forget or leave in the wrong hands - it is exclusively yours, a key you get every time you need it and in between it does not exist! Well, there is...
Imagine if there was a secure access system - handling 'one-time' passwords for thousands of users - with almost no administration! Well, there is...
DynaPass - the 'Open Sesame' system solves the problem.
There are many aspects of the word security. In the world of computers and communication networks, security is often reduced to some way of encrypting the data and storing it safely. Encryption is essential to protect the data from unauthorized access but even more important is to verify the identity of the individual trying to access the data and protect the key required to decrypt the data.
In most systems, the user logs on to the system with a user account and a password. The access rights are controlled by the account and the user is identified with a password. In some cases the password is also part of the encryption process. The mechanism provides security only as long as the account and password is known only by one individual and for a limited time. Since the password may be involved in the encryption process you would need to change the password within some time limit in order to give less time for intruders to figure out the password, thus being able to decrypt and access the user data.
Almost all systems provide schedules for changing passwords, however, in most systems the password 'lives' for weeks or months due to burdening administration . Furthermore, Mankind has a taste for comfortable solutions and you will find that most users select passwords easy to remember , thus easy to 'share with others' and unfortunately relatively easy to guess or deduct in other ways. Furthermore, the user account is open for 'research and manipulation' by the 'evil hacker' even when the user is 'off duty'.
Particularly in the world of Internet where information passes through numerous routers, switches and computers on its way between the user and the host system, it becomes clear that you need a system that provides a simple and secure way to identify the individual and maintain account and password integrity.
User accounts must not be left open
for
exploration and
passwords
must live only for a limited time, must be impossible to guess and must be
easy to administrate.
April System Design provides a software product that offers a solution for the issues discussed above. The product called DynaPass takes advantage of the cellular phone technology, for example GSM, to identify the individual and to provide the user with a 'one-time' password and activate the user account only for the time that the user is active.
The cellular phone itself is protected by a personal code. The subscription and access to the network is controlled and protected by a mechanism , for example a Smart Card , built into the phone . This means that the unit verifies the user's identity.
DynaPass will automatically activate your user account and assign a randomly generated password for you - every night. The password will be sent as a message to your phone. Open your phone and there it is!
Use the received password together with your account to 'log in' to the system. The user account and password are set active for a configurable time and will be deactivated by the end of the period.
The method guaranties a unique password at each login session and no administration of passwords - it is automatically handled 'out of band' i.e. the channel used to deliver the password is separated from the channel used for 'login'.
It is important that the administration is kept to a minimum and that the user account still is created and maintained only in one place.
The user should not be required to have access to any other physical devices (black boxes, cards etc.) than his normal working tools .
It is also important that the user verification method is available to all users . This gives a uniform login process in all situations, regardless of the current physical location.
The system should also be 'forgiving', meaning that if you have forgotten your password you should know that you could always request a new . The point is that there is no reason for the user to note the password down on a piece of paper that could be exposed to the public.
The active password must be distributed to the user on a communication link that is completely isolated from the link to be used by the user terminal.
DynaPass lives up to it all!
DynaPass can be used as the standard procedure for all users on the domain, or it could be assigned to specified users or accounts that requires extra security, for example remote users. Users can be - local, from other domains, dial in, temporary or travelling.
DynaPass is designed to work with cellular phones capable of receiving messages. In other words, the user needs - if he does not already have one - a cellular phone with at least a receiving feature.
If the phone even has a sending feature , for example GSM, the user himself can initiate a new password whenever he likes.
DynaPass runs as a service in the NT environment . It can be installed in the Master Domain Controller or in any NT workstation or server in the network.
Dynapass also runs on a Linux platform.
A GSM phone
connected to one COM port
on the PC,
used by DynaPass to receive and send SMS-messages.
An option is available where the user also has a personal secret code (prefix) to be used in combination with the DynaPass 'one-time' password. This provides extra security and means that only one part of the password is exposed in the phone.
The deactivation conditions of an account can be configured in several ways such as setting time limits for the 'login' and for the account entirely. This is controlled from the DynaPass User Manager on a per user level .
DynaPass is very 'forgiving'. If you have lost your password you just ask for a new . For example, you suddenly become busy with other things and therefore miss your 'login' to the system within the configured time.
DynaPass also gives you the option to immediately
secure your account
by requesting a new password. You can, for
example,
let someone 'borrow' your password
to be
able to perform a certain task and when it is done you
block further use
by requesting a new
.
The cellular phone verifies the user's identity . Firstly, the subscription and access to the network is controlled and protected by a mechanism , for example a Smart Card , built into the phone . Secondly, the phone is protected by a personal code .
What happens if I lose my phone?
Obviously the user is required to handle his phone with care. If the unit is stolen it should be reported , using standard procedures to the operator. The operator will stop all calls from this account very quickly, thus also stopping all possibilities to use the particular phone to log on to the computer system . As an alternative, call your administrator to close your account .
The system administrator should also be notified in order to permanently remove this phone from the list of active members.
What happens if I lose my password?
Users with a phone that has SMS sending capability can at anytime request a new by sending a message to the central system. Within a few seconds a new password will appear in their phone.
Users without SMS sending capabilities will have to ask the helpdesk
to 'kick-start' the process.
The new password will appear in
the phone within a few seconds
.
1. DynaPass will activate the user account and assign a randomly generated password - once a night.
2.The password will be sent as an SMS-message to the user's unit - every night.3. Open your cellular phone with the personal code (pin-code).
4. You can, within the next few seconds, use the received password together with your user account to log in to the system.
The user account and password are active only for a short time and will be deactivated after a configurable time.
Automatic distribution of passwords.
1. Open your phone, for example a GSM, with the personal code (pin-code).
2. The user verification process starts by sending an SMS-message from the phone to a specific number .
3. DynaPass detects the call and matches the call with a DynaPass database. If the caller is verified, DynaPass will activate the corresponding user account and assign a randomly generated password.
4. The password will be sent as an SMS-message to the user's unit.
5. You can , within the next few seconds, use the received password together with your user account to log in to the system .
The user account and password are active only for a short time and will be deactivated after a configurable time.
User-initiated distribution of passwords.
The DynaPass User Manager is the only part of DynaPass that is normally visible to the administrator . The purpose is to give the administrator a simple way to connect a user account with a phone number . The User Manager allows you to change, add or delete the phone number associated to a user account. The User Manager also provides a way for the administrator to 'kick-start' the process for an individual user.
New user accounts must always be added using the standard tools provided for your network environment. The accounts must exist in this environment before they can be activated in DynaPass. Accounts removed from the network will be automatically removed from the DynaPass administration at next startup or request for a new password.
A DynaPass database is built and maintained by the User Manager. The list of users is currently picked up from the NT Master Domain Controller or from the user information in the Linux system.
The DynaPass database contains information about the profile for the particular account . Except for the phone number the profile describes different conditions for the account - once the password is generated - such as expiration time and selected password prefix.
To be able to follow up what has happened in your system and who has accessed it - all important DynaPass events are logged in the system event log. All incoming calls/messages are time stamped and recorded as well as the outgoing messages. The content of the outgoing message (password) is not recorded for security reasons.
Use the NT event viewer to see the DynaPass activities and history.
NT environment
Alternative 1. DynaPass installed on the NT Domain Controller.
Alternative 2. DynaPass installed in an NT workstation.
Linux environment
DynaPass installed on a Linux server.
What happens if I lose my password?
Users with a phone that has SMS sending capability can at anytime request a new by sending a message to the central system. Within a few seconds a new password will appear in their phone.
Users without SMS sending capabilities will have to ask the helpdesk to 'kick-start' the process. The new password will appear in the phone within a few seconds.
What happens if my phone is 'out of range' or turned off when the password is distributed?
The SMS message will be delivered as soon as the phone is 'detected' by the network i.e. when the phone is switched on or when it comes within range.
Are there other ways to distribute the password?
Yes, DynaPass has the option to distribute the password through other channels, for example a national wide paging system. However, the channel must for security reasons be encrypted in 'the air'.
My network operator has a gateway for sending SMS messages, can DynaPass use that?
Yes, DynaPass has support for a range of methods and protocols to access SMS centers.
Can I combine automatic distribution and distribution on request?
Yes.
What about capacity? I have 500 users in my domain and they all want to login at nine in the morning, will there be a long wait for password?
No, the automatic distribution is spread over time and the new password is in your phone when you wake up in the morning.
Are there other ways to 'kick-start' the distribution process?
Yes, DynaPass supports different ways depending on your local environment.
If someone calls my helpdesk and claims that he is ME and asks for a new password, will he get it?
No, a new password will be distributed but it will end up in YOUR phone.
What happens if my phone dies?
You will have to fall back to the old procedure and ask your systems administrator or helpdesk for an emergency password.
Does DynaPass change my current procedures for user administration?
No, DynaPass lives together with your current system. You still add and delete users using the tools provided with your system. DynaPass automatically picks up the changes and let you easily assign a phone number to the account.
'Harry' is gone for a couple of weeks. Can I stop distribution temporarily?
Yes, ask the helpdesk to deactivate 'Harry' in DynaPass.
Cellular phones use radio waves, can someone listen?
Well, you can listen but not understand. Modern cellular networks, for example GSM, use digital transmission technique and the communication links are encrypted while 'in the air'.
All GSM-traffic 'in the open air' - including SMS-messages - are encrypted and therefore impossible to tap.
April concentrates upon the development of global software solutions for networking.
April's background - since the company was formed 1989 - is the design of advanced utilities and tools, based on market standards, that simplify communication and dialog between different technical platforms. Such products are, for example, Fusion95 which connects PC networks with UNIX and AniTa that offers Windows design to text-based applications.
April's focus is on advanced networking products for LAN and WAN including Internet. One example is DynaPass - a secure access system based on networking and telephony.
April has development, production and sales in Stockholm, Sweden, and in Irvine, California. April has a worldwide customer-base and reseller network. April has a staff of twenty, most of who are communications specialists.
April's customers and resellers in Sweden include Volvo, Ericsson, EDS, Åhléns, IBM, Enator, OKQ8 and WM-data. Some of our resellers and customers outside Sweden are Nortel Networks, Abacus Systems, ACT and Compaq in USA, AID Computer in France, APT in Holland, CMS in England, Weber Informatik in Switzerland , S.I.G. in Uruguay and NETLAN in Brazil.
 |
|
| ||
| © Copyright 2001 | Developed by April System Design | webmaster@april.se |