NASK offers token-based SecurID solutions by RSA (RSA Security Inc.) (www.rsasecurity.com) — the globally renowned manufacturer. RSA SecurID provides reliable user authentication based on two factors: what the user knows (the PIN code that replaces a static password) and what the user has (a token that generates the variable part of a one-time password).
The solution comprises three key elements:
RSA SecurID Concept
The system is based on the typical client-server networking architecture.
The Authentication Manager plays the central and key role in the authentication system. Its clients (agents) can be various systems and network devices: from user account servers, database servers, firewalls and supercomputers to routers, communications servers (supporting various implementations of the TACACS or RADIUS protocols) and network applications. In order to include a device, system or application in an RSA Authentication Manager authentication system with dynamic SecurID identification, its system software has to support the relevant agent or application software that communicates with the Authentication Manager in the user authentication process. This can be done using the existing agent software for the particular system or application or with the API (Application Programming Interface) provided in the RSA Authentication Manager package. When users log in to a system where agent software has been installed, using any terminal, they provide their ID (PIN) and password generated by the token. The request is sent over the network from the agent machine to the authentication server which accepts or rejects the request using a central database of users and their access rights. The decision is returned to the agent (a router, workstation, user account server etc.), and then to the user terminal.
The architecture and general concept of the system are presented below.
User Authentication Process
During the first session, the user’s PIN is generated by the system or chosen by the user. When a session is established with a device in the authentication system (e.g. telnet, ftp, ssh or other SecurID-compatible sessions), the user provides his or her username. If the agent is a computer, it verifies in its configuration whether the user is included in the one-time password system and prompts the user, e.g. “Enter PASSCODE”. Next, the agent software sends a request (the username with the one-time password provided by the user) over the network to the Authentication Manager, which compares the strings of digits (the PASSCODE, i.e. the PIN + TOKENCODE and the string generated by the Authentication Manager for the user). The Authentication Manager returns the result to the agent. The TOKENCODE generation algorithm on the SecurID card and the process dedicated to the given token on the Authentication Manager are synchronized.
Benefits for the Customer
Technical advantages of the RSA solution:
- the open platform enables integration with third-party applications,
- RSA SecurID can protect most applications and networks,
- the RSA solution is compliant with most industry standards.
The standard, comprehensive NASK service includes:
- pre-deployment consulting,
- the installation and implementation of the strong authentication system,
- integration with existing enterprise systems,
- administrative training,
- technical and system development support,
- solution management.
|
