Lazybit

Last week we've released an update of the SmartKey library, one of the additions is compatibility with ACOS5 cards provided by ACS. Now these cards can be used with any of our data encryption or user authentication software, provided the cards were formatted with this version of the Key Formatting Tool. The tool is not yet officially released, because other features are being added; however, ACOS5 support is now thoroughly tested.

• The capacity of the card after formatting is about ~30 K;
• Dekart formatting can be done before and after formatting with another vendor's tool, therefore the card can be used for other, non-Dekart programs too;
• No transport key is required when the card is formatted.

To find out what SmartKey is, take a look at the timeline of Dekart software; you might also be interested in checking out the list of other supported hardware.

Here is a set of points that emphasize the benefits of a smart-cart or token-based authentication solution, coupled with biometric authentication; the example is focused on Dekart Logon for Citrix, but it also applies to other user authentication software by Dekart.

Q: what are the benefits of using your product? Am I simply substituting a PIN for a user/password combination? And can an external user without a flash drive or smart card still access the server?
A: Dekart Logon for Citrix is not a server-side application, it should be used on the clients.

The benefits can be summarized as:

• users don't have to enter passwords manually
• therefore you can use extremely complex passwords (they won't have to memorize them anyway)
• since they don't have to memorize them, you can be sure your passwords won't show up in clear-text on sticky notes, or written somewhere under the keyboard, etc
• the fact that the credentials are stored on a smart card means that brute-force attacks are out of the question
• optional biometric authentication takes that one step further

• the software can also be used with flash disks, being entirely self-contained:

  • the Citrix client itself can be migrated to the USB disk
  • and the same applies to our program
  • as a result, an end-user can plug the USB drive into any computer (even where the Citrix ICA Client is absent), and log on to the Citrix server. (Of course, this is also possible if you use a web-based client, but in that case you have to beware of keyloggers [note: we have a solution for that too])

In this case the user is immune to keyloggers. Even if the keylogger manages to capture the PIN:

• they won't obtain the connection credentials themselves, therefore they won't be able to connect to the server without actually having the smart card (token, or USB drive)
• and even if they do - you can use biometry as an added layer of security
• further, the program can be installed in 'simple' and 'advanced' modes. In the first case, end-users can only connect to predefined servers, they cannot change the credentials, nor see the connection details - this makes the system fool-proof.

And as a side effect, this also means that unloyal end-users won't be able to disclose confidential data even if they want to. In other words, you can implement the "need to know" approach, by not giving users more information than they actually need to get their work done.

The data stored on USB drives are encrypted with AES-256 bit, our implementation of the algorithm is certified by NIST. This is much stronger encryption than the one used by the Citrix client itself.

Q: And can an external user without a flash drive or smart card still access the server?
A: Technically, this is possible, but you can counter that by:

• using extremely complex passwords, or randomly generated ones
• not disclosing them (just write the credentials to a key and issue it to an end-user)

You will probably want to take a look at Key Manager, this is the tool that allows you to write credentials to keys, make copies, edit contents of a key, etc.

Note - you can do these with Dekart Logon for Citrix itself, but if you're planning to operate with many keys (in a corporate environment), you'll find Key Manager very useful. A license for the tool is given for free if a certain number of licenses for Logon for Citrix is purchased.

Q: Couldn't someone with a citrix client installed on their machine get to my server logon screen on the remote machine and execute a brute force attack there?
A: Although that is technically possible, it is not an optimal scenario for the attacker to use:

• most network admins configure the servers in a way that prevents any host from connecting again if they've connected N times during the last M minutes (to prevent brute force attacks, conserve CPU cycles and network bandwidth, thus avoid denial-of-service attacks)
• from the attacker's point of view, the bottleneck of the procedure is the network bandwidth. When brute forcing a local resource, it goes much quicker because reading/writing RAM is much faster than crafting a packet, sending it over the network, then waiting for a response from the server, etc.

In other words, a local brute-force attack can take thousands or millions of years, while doing it over the network is totally insane. It may only work for trivial passwords such as '11111' or ones that can be found in any dictionay. But even in that case, a dictionary attack won't be feasible if the network admin took the right measures and prevents one from physically connecting to the server if they've had too many unsuccessful attempts.

Finally, the last detail is that you can use randomly generated passwords, which are extremely long - brute forcing THAT is impractical.

If I were an attacker, I'd try to find alternative ways, such as social engineering applied against a naive employee.

Some might be interested in the history of data encryption programs developed by Dekart. The chronology is a bit different from what one expects, so here are some facts about what happened, as well as some ideas about what might happen in the future.

The first program in the line is Private Disk Multifactor, which was released somewhere in 1999; at that time it was called "Private Disk". This is a smart-card/token -oriented encryption tool that appeared as a "side effect" of Dekart's initial exposure to smart-card payment systems. It makes possible the use of three factors of authentication, adding a BioAPI or HA-API compliant scanner to the authentication procedure.

Some of Multifactor's core components are:

• The Smartkey library - it acts as an abstraction layer, providing a unified interface to a broad range of key storage devices such as smart cards, tokens. The list was further extended, encompassing floppy disks and CDs. Support for flash memory storage is now there as well (ex: SD or MMC cards, or digital mp3 players that are detected as mass storage class devices)
• Dekart BIOAPI - this library allows BioAPI and HA-API biometric scanners to be used in the same way, hiding the low-level details from the coder.

Other important components, such as the on-the-fly encryption, and the virtual drive mechanisms were tightly coupled to the program's source code. Later they were moved to a different module, to make maintainence easier. This is how Private Disk API was created.

Private Disk Light was released in 2001, being a "Hello world" application that demonstrates how the Private Disk API works. Eventually the program became more than just a simple demo.

In 2003 it was decided that Private Disk Light would evolve as Private Disk, a commercial product; the Light version continues to be a free encryption program. This is when the original "Private Disk" became "Private Disk Multifactor". It was expected that such a change would cause a confusion among end-users, but the transition went surprisingly smooth.

Throughout this time, Private Disk API was only used internally by Dekart developers. It was decided that the API would become a product on its own, which would encourage others to build their own encryption software with minimal time investments. The API was documented, and along with several sample projects, it is distributed as Private Disk SDK, the first date of release is August the 5th, 2005. The SDK is a very easy way to build a robust encryption solution, not only that it was tested by time (since Private Disk relies on the exact same API), but it also relies on NIST-certified cryptographic modules for encryption and hashing. Certification is handled by Dekart, so the coder who uses the SDK can have this at no additional cost. Other things that are there - support for 64-bit platforms (AMD64 and IA-64), as well as Windows Vista compatibility.

2006 is an important point on the timeline, Dekart has released Private Disk Multifactor 2.0, it was shown to the public during the Systems 2006 expo in Munich. This is a special release, the most important detail about it is that it relies on Private Disk API, rather than its old codebase.

(A silent photo of the Dekart-Ritlabs stand in Munich, click to enlarge)

At that point Multifactor became a super-set of Private Disk, if compared by the available features. This brought tools such as Disk Firewall, Autorun, Autofinish to the community of Private Disk Multifactor users. All of this happened without hindering the mobility of the program - Multifactor is fully self-contained, thus it can be used directly from a removable drive on another computer. Of course it is a bit different, because if multiple factors of authentication are used, drivers for the additional hardware are needed. However, if a USB drive (or a smart card reader for which Windows will automatically find a driver) is used as a key - two-factors of authentication can be applied.

The 2.0 release had a significant impact on the speed of development, because any change made in the underlying API would automatically become a part of Private Disk and Private Disk Multifactor.

It is now being discussed whether PD and PDMF should be merged into a single product, but a decision was not made yet.

Since several APIs were mentioned, it should be noted that Smartkey is also going to be available as a separate SDK. This makes the development of smart-card based solutions incredibly simple. Ease of use is not the only advantage; besides the fact that the API was thoroughly tested and used for many years, it provides compatibility with a lot of smart cards, tokens, and other types of storage devices.

Another important detail is that Smartkey interacts with the smart cards and tokens via APDU commands. As a result, the library is very light, and there is no need to install additional modules that came from the card or token manufacturer. A positive side-effect is that Smartkey can be used to build portable programs (i.e. programs that do not require a local installation).

Dekart also plans to release an API for SIM card management, as well as the biometric API which is used internally; it is not certain when they will become available to the public, but it is going to happen after Smartkey SDK is officially released. At that time it will probably be known as "Dekart Smart Card SDK".

We have recently released Private Disk Multifactor 2.0, a huge step forward in 'multifactorian history'. I will explain how one can migrate a Private Disk encrypted image to a Private Disk Multifactor encrypted image; in other words - how to use smart-card or token authentication for an image which used to be mounted by typing a simple password.

1. Make a backup copy of the encryption key (by pressing Copy in the Recovery tab);
2. Connect the smart card or token to the system, then press Restore on the same tab;
3. You will be asked to locate the backup copy you made at step#1, then enter the PIN of the token or card. If you don't have a PIN yet, it is strongly advised to set one.

That's all. It should also be mentioned that the image can still be mounted with a password, and with a smart card or token, thus different people can access the data without having to know each other's password or PIN.