NEWS

Sphinx Unique in Meeting Need for High Security Authentication Over the Internet

Oakland, CA, November 12, 2010

In response to the increasing need for foolproof authentication to internet applications, Sphinx has created an ultra secure card/server interface that makes it virtually impossible to fake an identity over the Internet. To the best of our knowledge, card/server authentication with comparable strong security features is not currently available from any other non-PKI system.

Key customers for this solution include for example:

  • Cloud application providers, such as online contact database/Customer Relationship Management (CRM) solutions. In this scenario, the cloud application provider is a trusted party and must be extremely confident that only authorized personnel can view the private data that is the property of the customer.
  • Member organizations where financial or other critical transactions are made online, such as online trading or gambling websites. Since the member will be held accountable for any transaction made online, it is critical that the member organization ensure the identity of the members in an extremely secure way.
  • Health-related services, where patient information must be kept confidential as required by federal and state laws. Here the service provider will be held accountable for any violation of the privacy of patient records, or worse, manipulation of these records by potential attacks from hackers.
  • By choosing Sphinx card authentication, cardholders get the full benefits of the Sphinx software built-in. This adds value for the end-user, since the authentication device becomes a useful tool that enhances the end-user's PC security throughout the day.

Using the same card, end-users can:

  • Secure access to their laptop or PC, creating an additional security barrier.
  • Save website and application logons to their card, which provides both convenience and a high level of security to the end-user's additional logon locations.

When the end-user saves personal logon data to their card, it remains confidential, and cannot be accessed by the host organization.

Customers have the option of a card or token format, with either a contact Java card platform or a contactless DESfire card platform.

What make this card interface more secure

Each time an end-user presents his card for authentication to the host's website, Sphinx performs a "mutual" authentication process between the card and server of the hosting organization. This differs from an "UID based" card/server authentication, where the card is simply identified by the server via the card's unique identifier (UID). The "UID based" authentication works well in a controlled environment, but may not be optimal for online transactions.

In a "mutual" authentication, the card and server perform a cryptographic handshake where they exchange encrypted information based on keys which are known only to the card and the server. Because of the advanced security protocols used in the transaction, it is virtually impossible for an attacker to duplicate or mimic the card.

Advanced security protocols include AES128 or TDES-based cryptography, session key negotiation, and key diversification. The keys are diversified based on card and system-specific derivation input. The cryptographic handshake between the card and the server follows stringent security protocols that securely protect the keys, as well as the information exchange between card and server, from potential attackers.

* * * *

Additional notes on cloud applications and their associated risks:

With the prevalence of Web 2.0 applications, security-sensitive applications are being moved from the customer’s computers to server computers controlled by the application provider at rapidly increasing numbers. With the applications, also the sensitive data moves outside of the customer’s physical location and direct control.

When data includes highly sensitive information such as customer relation data, patient health records, personal information, financial data, etc., the risks associated with the outsourcing of data processing must be carefully evaluated before a customer makes the decision to trust a provider. The reputation, trust-worthiness, and internal security measures of the application provider are obviously key factors when evaluating the risks involved before subscribing to a Web 2.0 service.

Organizational integrity depends on keeping sensitive data secure. A Web 2.0 application can typically be accessed from anywhere over the Internet. Lax password security could open doors for data theft, data loss, data manipulation, and constitutes an unacceptable liability.

Assuming that the application provider has an excellent reputation, and internal security and data protection measures are in place, there still remains a giant security loophole that needs to be addressed. That loophole is the end-user, who typically still logs on to the web application with his user ID and password. The poor password security habits practiced by most end-users - due to the difficulty of maintaining and remembering a strong password in the first place - create a compelling argument for securing access to a cloud application with a card.

All trademarks are property of their respective owners.