WWPass authentication support for CAS v4.0.0 is now available.
CAS (Centralized Authentication Service) is Java based Single-Sign-On solution for enterprises. See http://en.wikipedia.org/wiki/Central_Authentication_Service.
CAS may be used in Oracle products, Shibboleth federated identity, JAAS ( Java Authentication and Authorization Service) and others.
Source code of the module along with example application is available on Github.
You can also get the source code on WWPass developers site
This new WWPass project is based on WWPass Java SDK and Java Spring SDK.
After yet another one of my private mailboxes got a warning about hacking attempts I set out on a quest for advanced security. Just in time WWPass has released the mobile Passkey for Android.
The Smartphone is now going to play a part of my previous WWPass PassKey USB token. Now with the convenience of only needing to carry my phone.
I plan to use the WWPass password manager, BlackBook. This will act as another line of defense while I am trying to secure my login credentials.
Why does it make sense?
Most websites request that you use highly complex username and passwords, which are even more difficult to remember. By using a password manager the need to remember these username and password pairs is removed because the PM does all the work!
But there’s one big fault with password managers: they have a master password that opens the door to scores of credentials stored inside. Once the master password is cracked all stored credentials are now exposed and vulnerable. Rendering the password manager useless…
Last week private nude photos of some celebs stored in Apple iCloud appeared on the web for everyone to see.
How exactly is was done is still unknown but weak passwords and lack of encryption seem to be 90% of vulnerability. In this case as in most cases.
Ideally photos should have been encrypted, but doing so is neglected by most users. Cloud services sometimes don’t care much about encryption… Add some hackable simple passwords to this story. And here’s what we get, privacy is easily compromised.
This is exactly why we invented WWPass. We guard not just users’ information, but encryptions keys and store it so that no one but key holder can retrieve it. If, say, Jennifer Lawrence was using a PassKey, she would be able to encrypt the photos and store the encryption credentials and metadata anonymously with WWPass. And if data got stolen from iCloud it would be virtually impossible to decrypt without (1) obtaining from the user and (2) hacking WWPass Passkey device.
Although I do not usually send out any nude photos, I have my bank account data to take care of. Double security makes me sleep better.
A One-Time Password (OTP) is a password that is created and valid for only one login session or transaction. OTPs compared to static passwords are not vulnerable to replay attacks. It means that if an OTP has become known to a potential intruder during log in procedure or any transaction, there is no opportunity to abuse it as after this transaction it is not valid anymore. Though OTPs have a serious drawback – it is difficult for people to memorize them.
Except for traditional passwords and OTPs, there are more ways to keep the data secure; one of them is using hardware cryptographic tokens.
When comparing WWPass hardware tokens and One-Time Passwords, several core advantages can be seen. WWPass, unlike many other companies, provides its clients with both hardware devices (cryptographic microcomputers) and access codes, which users can set themselves but they will still be secure.
WWPass technology allows using only one hardware device for multiple services while still providing high data security. Moreover, all WWPass customers have the opportunity to manage their PassKeys on their own without relying on a third party which gives customers a self-service portal where they can create additional keys and deactivate lost or stolen keys.
The WWPass PassKey is a hardware token containing two microchips – the Secure Element (SE) and the Microcontroller Unit (MCU). The SE is a Java smart card, a highly secured System on a Chip (SoC), which is capable of running Java applications. It stores the cryptographic material needed to access WWPass user information in the WWPass Secure Cloud and is also capable of performing various cryptographic operations within the secure platform.
MCU firmware acts as a bridge between Secure Element and applications on the computer, and transfers data between them. It has no access to the secure credential information stored on the Secure Element thereby requiring a significantly less secure hardware to run.
In most cases a user realizes the value of secure authentication only when he/she needs to protect sensitive personal information like credit card numbers, social security number, etc.
Nowadays the number of users relying on mobile devices is dramatically increasing. However, many mobile applications, e.g. a banking app, are still in the initial stage of their development.
First of all, current mobile banking apps are not really secure. For instance, standard sms-based authentication has some serious drawbacks. Most of them still use a user name – password pair. Customers information stored is not private and may easily be accessed by anyone on a Service Provider’s side. Moreover, in the event of a theft or loss, anyone can access the customers important and sensitive data.
A study has found 90% of mobile banking apps from top banks have serious security vulnerabilities that could potentially compromise sensitive user data. Security researcher Ariel Sanchez of IOActive recently published his findings after diving into home banking iPhone and iPad apps from 40 of the 60 top banks in the world. Here is a sampling of his discoveries:
“A few apps (less than 20%) did not have Position Independent Executable (PIE) and Stack Smashing Protection enabled. This could help to mitigate the risk of memory corruption attacks.”
“40% of the audited apps did not validate the authenticity of SSL certificates presented. This makes them susceptible to Man in The Middle (MiTM) attacks.”
- Users’ data storage
No user database is created; each data block and its name are encrypted with a unique key. Moreover, each block is dispersed into 12 pieces using Reed-Solomon redundancy code and they are stored at 12 different geographic locations – data centers. This way fault tolerance is achieved and no single point of failure exists. There are neither data and nor passwords – so it is impossible to steal them.
2. Mutual authentication: token/wwpass and SP/wwpass.
3. Token Management
WWPass has unique scenarios of token management, e.g.:
– Either token owner has opportunity to disable current and create new keys
– Or system administrator can disable current and create new keys, but he/she does not have an access to the resources of a key owner.
The number of attempts when invalid access code is entered is limited (3 times each 15 minutes), but a key is not blocked permanently. It is also possible to reset an access code with two keys.
WWPass token is a cryptographic microcomputer, so it gives opportunity to develop applications which operate on a user’s terminal and provide the security level a computer cannot achieve. Some of such applications are listed below.
These two applications deal with file encryption. In fact Google Drive, Dropbox, etc. do not encrypt data (vice versa – information they store is available for Service Providers).
WWPass analogues (PSS, wwSafe) store files in an encrypted way. The data may be decrypted on any computer only using a WWPass token.
Smart card in the cloud
WWPass token has enough power to implement authentication smart card functionality. This essentially broadens field of WWPass use.
Comparison with a regular smart card:
Private key for email encryption
- has to be available in case of a smart card loss – to access the previous email messages
- should be kept in smart card memory
WWPass solves these problems in the following way – a key, encrypted by the token, is stored in a cloud. Disable of a lost token does not lead to data loss on a private key. At the same time the decrypted private key exists only in token’s memory.
In case a card contains several certificates issued by different Certificate Authorities and a token is lost, revocation of all certificates may be a long and complicated procedure. When WWPass technology is implemented, there is no need to revoke all the certificates; one only needs to disable the token.
WWPass also has BlackBook application, which is a password storage service.
An encrypted message is received by a user and is decrypted with a token. The data are stored in a cloud and the service is available on any computer.
BitLocker is a Microsoft Windows feature which supports Disk Encryption. The Bitlocker can use a smart card to protect access to a cyphered volume. And here WWPass comes with its smart-card functions.
Compared to TrueCrypt, which is cross-platform, the BitLocker is only available on Windows. Even more so, only advanced Pro/Enterprize/Ultimate versions support BitLocker.
Long story short – yes, you can use WWPass to encrypt your data disk, including USB sticks.
Visit Microsoft page for instructions
The procedure to create a self-signed certificate and to cypher a volume may sound complicated, but it is not. You actually should
- define and set a new key in Windows Registry
- create a text file using notebook
- type a command in command-propt window
- export a newly created certificate to PFX-file
- using WWPass Dashboard, import PFX onto your Passkey
And now you are ready to proceed to “Control Panel/System and Security/BitLocker Drive encryption” to actually encrypt a particular disk.
Be aware that as WWPass relies on the Internet, you will not be able to open your encrypted disk when offline. Do not encrypt your system disk.
The core concept of WWPass solution is WWPass Data Container, which is, in some sort, analogous to a safe deposit box in the non-computer world. When using it, a customer can store valuable and sensitive information in a digital form. WWPass provides a unique key to every user (UserID) and another unique key for the Vendor (SPID). The SPID is used for every vendor’s specific application, or a public organization that must authenticate its users. WWPass provides a separate Data Container which corresponds to each user registration at a particular Service Provider web site or application (for each UserID – SPID pair). To open the Container, two keys are needed: first – the user’s key containing the UserID and second – the Service Provider’s key containing the SPID. Thus, the user’s data which belongs to different Service Providers will be totally independent. User’s activity cannot be tracked and personal information that the user chooses to give to one Service Provider will never be given to any other Service Providers without express permission.