Proposed Standards Deliver Flexibility and Choice in Integrating One-Time
Passwords with Enterprise Applications and Infrastructure
RSA(R) CONFERENCE 2005/SAN FRANCISCO, Feb. 15 /PRNewswire-FirstCall/ --
RSA Security Inc. (Nasdaq: RSAS) today announced the release of five open
specifications to simplify the secure integration of various one-time password
(OTP) methods into enterprise applications and infrastructure. A sixth
specification is expected to be released shortly. As strong authentication
evolves into an enterprise-wide solution rather than a point deployment, one-
time passwords must be easily integrated with applications. These open
specifications -- available for public review and comment -- will provide
technology solutions vendors with greater ease and flexibility in integrating
support for a wide range of OTP methods, including time-synchronous, event-
synchronous and challenge-response solutions. Technology leaders such as
Adobe Systems, Check Point Software Technologies, Cisco Systems, Funk
Software, iPass, Juniper Networks, Meetinghouse and Microsoft have endorsed
this effort.
The specifications will be submitted as appropriate to established
standards bodies, such as the Internet Engineering Task Force (IETF) and the
Organization for the Advancement of Structured Information Standards (OASIS).
The EAP-POTP specification, for example, already has been submitted to the
IETF for review. These specifications build on RSA Security's long-
established role as a champion of industry-wide standards, such as Public Key
Cryptography Standards (PKCS), Security Assertion Markup Language (SAML) and
Web Services Security: SOAP Message Security.
Organizations increasingly deploy OTP-based strong authentication
solutions to ensure that only authorized users are able to gain entry to
remote access, enterprise, partner, and consumer resources. These open
specifications will facilitate the broader adoption of strong authentication
through simpler, more cost-effective integration of one-time passwords with
enterprise applications and infrastructure. For businesses, vendor adoption
of these open specifications will deliver enhanced security, reduced
deployment costs, and greater simplicity in authentication. Businesses also
will benefit from the ability to choose the type of credential method that
best serves the organization.
To further industry collaboration on these proposed specifications, RSA
Security is following the same proven process as when the company introduced
PKCS in 1991 -- documents that have since become widely referenced and
implemented. The initial set of six open specifications related to the
integration and management of One-Time Passwords (collectively referred to as
the One-Time Password Specifications documents), is coordinated online at
http://www.rsasecurity.com/rsalabs/otps and available for public review and
feedback. The specifications will be developed further through mailing list
discussions and workshops, with details available from the OTPS website, and
will be submitted to standards bodies as appropriate.
Details on One-Time Password Specifications
Historically, one-time password solutions have involved end-user devices
(tokens) that are not connected to the network or to a client. The end user
reads the one-time password from a display and then enters it into a client.
While this disconnected approach delivers high portability, enterprises are
becoming interested in also supporting connected OTP tokens, which deliver
increased ease of use and flexibility by enabling a user to authenticate
simply by connecting the token (e.g., through a USB connector). Several of
the new OTP specifications are focused on support for connected tokens, while
others are relevant to both connected and disconnected tokens.
The proposed and planned specifications address critical components of OTP
technology integration and management, including the initialization of OTP
credentials, and the retrieval, transport and validation of one-time
passwords. In addition, the proposed specifications also address the five key
areas related to credential lifecycle management: creating, storing,
managing, proving and leveraging credentials. The new OTP specifications fall
into the following three basic areas:
* One-Time Password Credential Provisioning: One-time password
solutions require that an end user's token and an enterprise's back-
end server share the same credential, which is used to generate the
one-time password. The combination of connected tokens and the
Cryptographic Token Key Initialization Protocol (CT-KIP)
specification will simplify this credential provisioning, enabling
companies to save time and money, while also increasing security.
Specifically, the protocol enables the token and the server to
create and use the same shared credential, without sending it to
each other, and without requiring private-key capabilities in the
token or an established public-key infrastructure.
* One-Time Password Retrieval: OTP retrieval specifications are
focused on making it straightforward for more vendors to support
connected one-time tokens -- enabling end users to harness the
benefits of connected tokens, particularly not having to manually
enter one-time passwords. By basing OTP retrieval on well-known and
widely implemented cryptographic token interfaces (PKCS #11 and
CAPI), the OTP-PKCS #11 and OTP-CAPI specifications provide the
greatest ability to simply integrate connected OTP tokens with
various applications.
* One-Time Password Transport and Validation: It is critical that
integration of one-time passwords with enterprise applications and
infrastructure provide the ability to enter an OTP for
authentication, and for the application/infrastructure to pass the
OTP across the network to a validation server. Traditionally, this
integration has been accomplished through proprietary APIs or
through the use of an authentication method within RADIUS. Three of
the new specifications are intended to make it possible to more
easily integrate OTP authentication, providing end users with the
ability to strongly authenticate into more applications. In
addition, open specifications for the transport (One-Time Password
Web Services Security Token) and validation (OTP-Validation Service)
of OTPs within Web services protocol environments will remove the
integration obstacles presented by current, proprietary solutions.
Similarly, protected one-time password EAP (EAP-POTP) can be used to
provide unilateral or mutual authentication, and key material, in
protocols utilizing EAP, such as PPP, IEEE 802.1X and IKEv2. EAP-
POTP is complementary to, but independent of, EAP tunneling methods
such as PEAP, TTLS, and EAP-FAST.
"RSA Security supports the technology industry's call for nonproprietary
specifications that allow vendors to easily integrate OTP technology with
enterprise applications," said Victor Chang, vice president of technology at
RSA Security. "Standardization on common integration methods enables both
application and authentication vendors to gain maximum leverage, which
ultimately benefit businesses worldwide as they adopt strong authentication
throughout enterprises and in online commerce."
Technology Industry Validation
Leading technology companies have endorsed the effort to deliver a
standards-based framework for integrating one-time passwords with enterprise
applications and infrastructure:
Adobe Systems: "As businesses begin to deploy strong authentication more
broadly across the enterprise, these organizations must be able to easily
integrate one-time passwords with their popular desktop and server
applications," said John Landwehr, director of security solutions and
strategy at Adobe. "Adobe is pleased with RSA Security's initiative for
delivering open specifications, and we look forward to working with RSA
Security to continue to evolve powerful and easy-to-use authentication
mechanisms for access control and rights management in electronic
document workflows."
Check Point Software Technologies: "Providing nonproprietary methods to
integrate any significant emerging technology is the best way to fuel its
adoption," said Paul Weinstein, vice president of business development at
Check Point Software Technologies Ltd. "RSA Security's proposed open
specifications for one-time passwords will serve the IT security industry
by enabling technology solution vendors to integrate one-time password
technology throughout the enterprise."
Cisco Systems, Inc.: "Cisco is pleased to see these proposed One-Time
Password (OTP) specifications, as they will allow the security IT
industry to deliver more secure access solutions of greater value at a
lower cost for our customers," said Bob Gleichauf, chief technology
officer for Cisco's Security Technology Group.
Funk Software: "The proposed specifications should make it easier to
integrate support for one-time passwords into enterprise applications,"
said Paul Funk, president of Funk Software, a leading developer of
network access security solutions. "One-time passwords provide very
strong authentication security, an important capability for customers who
are managing increasingly complex network access infrastructures.
Whether users connect to the network via wireless or wired, from a remote
site or on-site, OTP provides the strong security that lets enterprises
better protect their critical business assets."
iPass: "Open specifications for the initialization of credentials, along
with the retrieval, transportation and validation of one-time passwords,
will enable iPass to better serve our business customers as they deploy
strong authentication solutions across the enterprise," said Roy Albert,
CTO of iPass Inc. "iPass plans to leverage these specifications as we
work to deliver stronger authentication support, particularly in the
context of one-time passwords."
Juniper Networks: "The proposed one-time password specifications will
better-serve the IT security industry by providing non-proprietary
methods of integrating OTP solutions as customers deploy strong
authentication throughout the enterprise," said George Riedel, VP of
strategy and corporate development at Juniper Networks. "Juniper expects
to utilize these specifications to ensure that our technology solutions
are able to easily, securely and cost-effectively integrate with
customers' one-time password technology."
Meetinghouse: "The new open specifications from RSA Security provide
technology companies like Meetinghouse with an effective way to support a
full range of current and future OTP solutions," said Dr. Paul Goransson,
president of Meetinghouse. "Meetinghouse supports the RSA Security
effort to provide open solutions that deliver the strong network security
with ease-of-use required by enterprise users."
Microsoft: "Customers have told us that interoperability across security
solutions is a critical requirement," said Rich Kaplan, corporate vice
president for the Security Business & Technology Unit (SBTU) at Microsoft
Corp. "Microsoft supports all our partners' efforts to provide open
solutions that deliver the greatest value to business customers and
support strong authentication deployments."
RSA Security Support of Specifications Within its Own Products
Demonstrating the company's support for these open one-time password
specifications, RSA Security plans to integrate these methods into RSA
SecurID(R) technology, a market-leading strong authentication solution.
Future versions of RSA Security's client for connected RSA SecurID tokens,
RSA(R) Authentication Manager and RSA(R) Authentication Deployment Manager
will support these proposed open specifications. This support will enable RSA
Security customers to more easily and cost-effectively integrate and deploy
OTP-based strong authentication.
About RSA Security Inc.
RSA Security Inc. helps organizations confidently protect identities and
information access. The company secures more than 15 million user identities,
safeguards trillions of business transactions annually, and manages the
confidentiality of data in tens of thousands of applications worldwide. RSA
Security's portfolio of award-winning solutions -- including identity & access
management, secure mobile & remote access, secure enterprise access, secure
transactions and consumer identity protection -- sets the standard in the
industry. Our strong reputation is built on a 20-year history of ingenuity,
leadership and proven technologies, and our more than 17,000 customers around
the globe. Together with more than 1,000 technology and integration partners,
RSA Security inspires confidence in everyone to experience the power and
promise of the Internet. For more information, please visit
http://www.rsasecurity.com.
NOTE: RSA, RSA Security, SecurID, the RSA logo and Confidence Inspired
are either registered trademarks or trademarks of RSA Security Inc. in the
United States and/or other countries. All other products and services
mentioned are trademarks of their respective companies.
SOURCE RSA Security Inc.
 back to top
Related links:
http://www.rsasecurity.com
CONTACT:
Roger Fortier of McGrath/Power Public
Relations, +1-408-727-0351, or rogerf@mcgrathpower.com, for RSA
Security Inc.; or Dave Howell of RSA Security Inc.,
+1-781-515-6303, or dhowell@rsasecurity.com
|
