News
High-secure authentication with the QTrust Server
|
18.11.07 |
|
Almost everybody uses online banking nowadays. However its reputation suffers because of sniffing and fishing attacks. Hacker even bypass ssl certificates by exploiting cross-site-scripting bugs.
Using the Internetpassport (TM) the server authenticates itself to the user and only the user having access to the token can authorize a transaction at the bank. After entering the transaction data on a web site and instead of looking for a TAN in a paper stored in some secret drawer one has to type in the unique device number printed on the back of the device. Afterwards some black and white blinking fields appear on the screen. Holding the token just in front of the monitor it captures this flickering and reads a binary, AES/128 Bit encrypted stream. Afterwards the token displays some of the transaction data on a display together with a one time password. Now the user only needs to enter this one time password in the web to confirm the transaction. As only the server and the device know the individual key to decrypt the message, only the authentic server can show the transaction data to the user and only the user having the authentic token can decrypt the message and enter the generated one time password. So both sides know that they are really talking with each other. To secure the token from unauthorized usage it has a secure fingerprint sensor which has to be personalized once before the final keys will be installed on the device. Goals reached: * There is no PIN which a hacker could sniff to get access to online banking. * A fishing site cannot encrypt a message for the token and therefore a user will never enter keys on such a site. * There are no pre generated passwords like in a TAN list. * A sniffing software installed on the pc can do nothing with the one time passoword entered for one specific transaction. * There is no need for additional hardware like a smart card reader or similar. * We experience a real two-way authentication which cannot be bypassed by cross-site-scripting attacks. * ... For the QTrust Server there are several points to think about the Internetpassport (TM) like: * Administration Website * VPN Access * Reverse proxy to click-and-secure internal websites For more information about the secure access token see http://www.axsionics.ch. More information about our evaluation will be supplied here soon... category: partner |
|
| < American Express partner commits to the QTrust Server | back to summary | Check Point Firewall-1 hacked > |
register on the QTrust RSS feed
