Frequently Asked Questions
Arcot Systems, Inc. provides digital signature and identity solutions to secure the integrity of online business. Arcot's solutions combine the ease-of-use, scalability, and cost-effectiveness of a software format with a breakthrough technology approach that offers maximum online protection. Whether used as a standalone solution, or in tandem with existing hardware or other software solutions, Arcot's flexible two-factor authentication technology enables enterprises to increase their level of online security multi-fold, with minimal disruption for end users.
As online security experts, Arcot's team receives many questions on the subject of identity management and online security. Here a some answers to the most frequently asked questions.
» About Digital Identity Security
» About Arcot Authentication Technology
» About Arcot, PKI and Digital Certificates
» What is the $1 charge on your credit or debit card?
About Digital Identity Security
What is user authentication?
User authentication is the process of verifying the identity of a person. In the case of online business, authentication must occur digitally (i.e., an individual or entity wants to be sure that they know without a doubt who is on the other end of the interaction or transaction). Online authentication techniques range from the marginally secure method of typing in a system user name and password, to the most secure means of biometrics, in which devices scan an individual's fingerprints. The more common strong authentication solutions are hardware tokens and smart cards. This approach is known as two-factor authentication: One factor is “something you know,” such as a password or PIN number. The second factor is “something you have,” like some form of a smart card or hardware device.
What is Public Key Infrastructure (PKI)?
PKI is a system of deploying, certifying, and managing public keys using digital certificates from certificate authorities and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction or interaction.
What is a digital certificate?
A digital certificate (standard x.509 certificate) is typically used to bind an end user's or organization's name with a public key that corresponds to the private key credentials used for digital signing and authenticating.
What is a digital signature?
A digital signature is a cryptographic code that can be attached to an electronically transmitted message that uniquely identifies the sender and ensures the message has not been tampered with. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are vital to the deployment and expansion of online business, and they are a key component of most authentication schemes. To be effective, digital signatures must be non-repudiable. There are a number of different encryption and authentication techniques to guarantee this level of security.
What is a smart card?
A smart card is a credit card-like device containing both memory and a central processing unit (CPU). Smart cards are used to store personal credentials or other information. They are often used as a means of providing strong, two-factor user authentication.
What is a “secure software credential”?
Like a physical smart card, the secure software credential is used to securely store personal credentials or other information. The container for that information is a tamper-resistant software container rather than a physical hardware-based container.
What is a hardware token?
A hardware token is a device that generates a one-time password and provides access to a secure network or application for an authorized user.
What is Arcot's business focus?
Arcot develops software-based digital signature and identity solutions for more than 8,000 enterprises with the most challenging security needs. Its customers include financial institutions and e-payment-focused organizations, pharmaceutical and healthcare companies, among others.
What makes Arcot different?
Arcot Systems provides software-based digital signatures and identity solutions that allow companies to safely conduct online business. Arcot's solutions combine the ease-of-use, scalability, and cost-effectiveness of a software format with innovative technology that offers the maximum level of protection. Arcot solutions enable businesses to connect with their customers, partners and stakeholders, and extend their business reach and results, while protecting the privacy and security of digital information.
Who are Arcot's technology advisors?
Arcot's technology advisors are widely recognized industry leaders in Internet security and cryptography. The advisors include:
Dr. Martin Hellman, Professor Emeritus, Stanford University and Co-Inventor of Public Key Cryptography
Taher Elgamal, President, Information Security Group; Kroll-O'Gara former chief scientist, Netscape Communications; and developer of Secure Socket Layer (SSL)
Bruce Schneier, Founder and Chief Technical Officer of BT Counterpane and Author of “Applied Cryptography,” the seminal work on cryptography.
Read more about our technology advisors.
Who are Arcot's business advisors?
Arcot's business advisors are all senior-ranking executives from a range of businesses that can benefit from strong authentication for enterprise and Internet applications. Read more about our business advisors.
Who are Arcot's investors?
Arcot's investment partners include Accel Partners, Goldman Sachs, Wachovia, SEBanken, Novell, Inc., Onset Ventures, Oracle Venture Fund, Raza Ventures, and Visa International.
Internet User Authentication Challenges
Why is there a need for strong authentication?
In order for companies to achieve the potential that online business offers, there must be absolute certainty that these companies know who is on the other end of any online transaction or interaction. These transactions or exchanges of information require the verification of the identity of the other party. In a traditional business environment, there are many ways to verify the identity of the person at the other end of a transaction or information transfer (e.g. “May I see your driver's license?”). However, on the Internet, with a large community of customers and partners in diverse geographic locations connected only through a browser, strong user authentication is a necessity.
How does Arcot address the challenge of Internet authentication?
Arcot provides strong software-based digital signature and identity solutions that are secure, scalable, and cost effective, and yet still convenient and easy to use. Because these solutions are software-based, they scale up to millions of users, provide a convenient browser-based interface or VPN client plug-in for end users, and are easily deployed and managed. Since Arcot has developed a sophisticated and proprietary technology approach, its solutions provide hardware-level security protection. In addition, they are designed to be delivered via a number of formats, including software only containers, or hardware containers such as USB tokens or crypto tokens. In addition to connecting with a wide variety of server applications, Arcot software can also provide a common interface for secure software credentials, hardware smart cards, and USB tokens.
Why not use user name and passwords?
User names and passwords provide limited security and are costly to maintain. First, username-password combinations do not uniquely identify users with the assurance necessary for high-value and high-privacy applications. They only require “something a user knows” (one-factor authentication), offering limited security. The issues around user laxness in protecting passwords are well known. Second, the cost and complexity to make passwords more secure is problematic if one is to deliver two-factor authentication that combines “something you know” with “something you have.” The standard approaches to making usernames and passwords more secure force users to choose complex passwords, use “one-time” passwords, change passwords on a regular basis, or remember to carry hardware devices. Any of these approaches create maintenance problems and additional management for the end user, resulting in higher business operating costs, lower adoption rates, and lost productivity.
Why not use hardware tokens?
Cost and lack of convenience are the two primary reasons that hardware tokens aren't widely adopted. By their very nature, Internet applications are deployed to a large number of users at various locations around the world. The acquisition and maintenance cost of hardware tokens and the logistics of widespread distribution and management make the total cost of hardware tokens prohibitive. In addition, tokens are inconvenient for end users to carry and use, and most businesses realize that they cannot force customers to use hardware tokens.
Why not use smart cards?
Smart cards require that the end users' device include a smart card reader, but smart card readers are not widely distributed in devices accessing the Internet. Therefore, any use of smart cards in an Internet application will require the end user to acquire and install a smart card reader. For mobile end-users, access to card readers is especially problematic. Also, distributing the actual smart cards increases the cost of use. Cost and logistics issues aside, the smart card approach is in direct conflict with the now widely accepted Internet model for application use in which end users simply needs a browser or VPN client and the appropriate plug-ins.
What is an ArcotID?
The ArcotID is the software equivalent of a hardware smart card, providing a PIN-protected software container for the user's credentials: a standard X.509v3 digital certificate plus an encrypted private key. Arcot's patented design ensures that the ArcotID is resistant to brute force and offline attacks, yet provides the strong authentication necessary to establish identity, create digital signatures, and decrypt documents. Digital signatures enable users to send transactions and electronic documents that are tamper-resistant and cannot be repudiated. They also create an electronic trail of all user activity for security audit purposes. Without the ArcotID, hardware smart cards are necessary to achieve this level of authentication.
Where is the digital certificate and how do you protect it?
The digital certificate is stored in the ArcotID container. Securing a private key with Arcot's Cryptographic Camouflage technology protects the private key from brute force attacks. The credentials are accessed through a variety of standard and proprietary APIs, remaining transparent to the user. For PKI-aware applications, the ArcotID can be used as a direct replacement for a hardware smart card using standard cryptographic interfaces.
What is a private key and why is it important to protect it?
A private key is one half of the public/private key pair used in digital certificates. The private key is a software key used to sign challenges or documents. Similar to a physical signature, knowledge and use of the private key validates that the end user signed the challenge or document. Therefore, protecting the private key is critical to protecting the digital certificate and the user's identity online. If a third party gains access to a user's private key, the third party could easily masquerade as the user, commit fraud, and gain access to confidential information.
The private key is usually stored on the owner's system in a password-protected key container. Hackers and virus-software authors can use a variety of tools to collect and hack these key containers to collect private keys. Companies such as RSA, VeriSign, Sun Microsystems, and Baltimore Technologies, as well as technology analyst Gartner Group, have all cautioned users that protection of the private key is very important.
About Arcot Authentication Technology
What is unique about Arcot's authentication technology?
Arcot Systems is the only company that can provide strong software-based solutions to authenticate users with whom they are interacting and transacting on payment systems— web-based enterprise applications, business portals, email and VPN environments—combining the security of hardware solutions with the convenience of username-passwords.
Arcot products are built around two key technologies: digital certificates—an industry standard—and Cryptographic Camouflage, a patented software technology developed by Arcot. The combination of these two technologies makes strong software-only authentication a reality.
What is Cryptographic Camouflage?
Cryptographic Camouflage is Arcot's patented technique for protecting information in software. It differs from the standard encryption approach in that the attacker does not know when he has successfully uncovered the information. This approach provides security against offline attacks, allowing Arcot to offer strong digital signature and identity solutions in software.
When using a standard encryption approach, an intruder tries to reveal protected information with a variety of automated tools that conduct offline attacks. These techniques—including brute force, dictionary, and other types of attacks—try to guess the password until a plausible solution is found (i.e. a well-structured private key, etc.). With this approach, an attack will yield only one solution—the correct one that reveals the protected information.
Cryptographic Camouflage differs in that any attack will yield what seems like a plausible response. Hence, the correct solution is hidden, or camouflaged, amongst a large number of plausible but incorrect solutions. Cryptographic Camouflage keeps the user's private key private and protects it from outside attack.
How is the Arcot solution as secure as smart cards?
Smart cards and Arcot solutions both provide two-factor authentication. Both approaches require the user to have possession of something (the smart card or the ArcotID) and to know something (their personal PIN). Arcot's use of Cryptographic Camouflage protects the ArcotID from offline attack, making the card unusable without the PIN. In other words, the user always needs “something they have” plus “something they know” to ensure a successful login and signature using Arcot's strong authentication.
About Arcot, PKI and Digital Certificates
Are you a PKI vendor?
No, Arcot is not a PKI vendor but it provides solutions that incorporate the best features of PKI, such as signing for non-repudiation and authentication.
Do you compete against PKI vendors?
No, Arcot does not compete against PKI vendors. We complement and add value to a PKI and digital certificate vendor's offering by providing a stronger level of security for the user's digital certificate, the ability to securely roam (i.e. use the certificate on more than one machine), and the ability to utilize the solution on any device.
Which PKI vendors do you work with?
We can integrate with all the major certificate authority vendors. This includes VeriSign, Entrust, Microsoft, Sun/Netscape, Baltimore, and RSA Security. Check with Arcot for specific versions.
How do you complement a digital certificate infrastructure?
Arcot complements a digital certificate infrastructure by providing protection for the private key through a secure, convenient software container. Research analyst firm GIGA Information Group stated, “Arcot improves security, management, support cost, and ease of user adoption of digital certificates (PKI). In addition, Arcot provides a secure and convenient solution for roaming users—mobile users who need to authenticate from various locations and various machines.”
|
