One of the main premises in GemAuthenticate is the notion of the authentication method.

An authentication method refers to the procedure involved in verifying an end-user’s identity. Authentication includes the sequence of events that must be performed in order for a person to prove that he or she is who they claim to be. The authentication method defines what is required for a successful entry, and thus who is allowed access and who is not.

In the GemAuthenticate system there are currently 8 authentication methods available. A combination of one or more of these authentication methods can be used to control access to protected resources. A brief description of each method follows below.

Many parameters must be considered when determining what authentication method is best suited for a particular system. Two such parameters are shown in the diagram below.

Figure: Authentication methods: security level vs. total system implementation cost.

Table: GemAuthenticate authentication methods.

Generic Form Username/Password Authentication

This is the simplest form of authentication in the GemAuthenticate system and does not require a smart card. The client provides the user with a browser-based form into which they must enter their Username/Password credentials. These credentials are validated by the GAS; if correct the user is successfully authenticated, if not he/she is notified that one of the credentials entered is incorrect or invalid.

Smart Card Based Username/Password Authentication

This form of authentication is similar to form-based Username/Password Authentication with the added advantage that the user does not have to remember long passwords or usernames. The ability to store complex usernames and passwords makes it more difficult to crack these codes using brute-force or dictionary attacks.

During authentication:

• The Username/Password credentials are stored on a smart card.

• In order to gain entry to the system, the user must insert his/her registered smart card into a valid reader.

• Access to this card is protected by a PIN (Personal Identification Number). The user is prompted to enter this PIN by the GAC.

• If the PIN is successfully entered, the GAC accesses the Username/Password attributes on the card. If not, the GAC prompts the user to re-enter the PIN. The user has a limited and configurable number of attempts to enter the correct PIN, after which the card is blocked.

• Usernames and Passwords are then validated by the GAS. If successfully validated, the user gains access to the system, if validation is unsuccessful, the user is notified.

Smart Card Based Symmetric Key Authentication

The Smart Card Based Symmetric Key Authentication method makes use of 3DES encryption. It also makes use of the Challenge-Response Protocol in order to validate a user’s identity.

A symmetric master key is stored securely in the GAS. During card personalization, the master key is diversified and the resulting key is placed in a secure container on a Gemplus smart card.

During authentication:

• The user inserts his/her registered smart card into a valid reader.

• The GAC prompts the user to enter a PIN in order to allow access to the card. If the PIN is correct, access is allowed; otherwise the user is notified that an incorrect PIN has been entered.

• During the authentication procedure, the GAS sends a piece of random data to the GAC.

• The GAS signs this random data and also sends that to the GAC. The smart card OS then uses the symmetric key on the card to sign this data and then sends it back to the GAS.

• When the GAS receives these pieces of data it re-calculates each signature in order to verify that the symmetric key on the card has been diversified from its master key.

• If everything matches, the user is authenticated and hence allowed access to the system. If unsuccessful, the user is notified.

Smart Card Based Public Key Infrastructure Authentication

The Smart Card Based Public Key Infrastructure Authentication method makes use of the Public Key Infrastructure (PKI) to validate a user’s identity. During card personalization, a public key is stored on the card in the form of a certificate and a corresponding private key.

During authentication:

• The user inserts his/her registered smart card into a valid reader.

• The GAC prompts the user to enter a PIN in order to allow access to the card. If the PIN is correct the application is allowed access; if the PIN is incorrect, the user is notified that they have entered an incorrect PIN.

• During authentication processing the GAS signs a random piece of data using S/MIME and sends both this data and the signature to the GAC as the challenge.

• The GAC formats and sends this data to the smart card. The challenge is signed and this signature is sent back to the GAS via the GAC along with the certificate (the public key) and the original GAS challenge.

• The GAS verifies the signatures to ensure they are correct. The GAS can also perform external 3^rd party checks on the certificate (public key) such as OCSP, CRL, etc.

• If verification is successful, the user is allowed access. If not, the user is notified that the attempt has been unsuccessful.

Smart Card Based Primary Account Number (PAN) Authentication

The Smart Card Based Primary Account Number (PAN) Authentication method uses the PAN number displayed on a credit card to validate a user’s identity. During card personalization, the PAN number is stored in a special container on the smart card’s file system.

During authentication:

• The user inserts his/her registered smart card into a valid reader.

• During authentication processing, the GAC retrieves the PAN number from the smart card, and sends this back to the GAS along with some additional parameters.

• The GAS validates the PAN by checking in the user database or by validating it against a special pattern.

• If the PAN is valid, the user is allowed access; if invalid the user is notified.

Smart Card Based EMV Authentication

GemAuthenticate EMV Authentication verifies online transactions as specified in the EMV standard.

This method of authentication makes use of 3DES symmetric key diversification. It also makes use of the Challenge-Response Protocol to validate a user’s identity.

A symmetric master key is stored securely in the GAS. During card personalization, the master key is diversified and the resulting key is placed in a secure container on a Gemplus smart card.

During authentication:

• The GAS activates the GAC. In the activation code, the GAS sends a number of parameters to the GAC. In this authentication method, the most significant parameters are:

  • A challenge – a random number

  • A signature – a server cryptogram of the challenge so the server can validate that the challenge was produced by a valid server at a valid time.

  (A complete list of parameters can be found in the GAS documentation.)

• The GAC is activated and prompts the user to insert his/her card.

• The GAC prompts the user to enter the PIN in order to validate the user's presence. If the PIN is correct the procedure continues; if the PIN is invalid, the user is notified that an incorrect PIN was entered.

• The GAC then uses the smart card and the key on the card to create an ARQC (EMV Authentication Request Cryptogram) with the challenge sent from the server used as an unpredictable number.

• Along with some additional parameters, the GAC then sends the ARQC as a response back to the GAS. (A complete list of parameters can be found in the GAS documentation.)

• When the GAS receives this data, it calculates each cryptogram (signature and response) in order to verify their correctness.

• The GAS verifies that the users ID (PAN|PSN) is present and activated in the user directory.

• If everything matches the user is authenticated and hence allowed access to the system. If the user response does not correspond as expected, access is denied and the user is notified.

Memory Card Based Transaction Password Authentication

The Memory Card Based Transaction Password Authentication method uses a unique password for every authentication event. This unique password, which is stored on the card, is only valid for the subsequent authentication, thus making it difficult to crack the password through a series of requests from the user. This method also uses transaction counters to verify that the server and the client are in sync.

During authentication:

• The user inserts his/her registered memory card into a valid reader.

• The client application reads the transaction counter and password from the card and sends these parameters to the GAS.

• The GAS compares the transaction counter balance with that stored in a database; it also recalculates the value of the password to ensure it is valid.

• If successful, the GAS increases the "transaction counter" value, generating a new password, and sends these to the client application, which updates the new values on the card. Once these values are stored successfully in the card, they are also updated in the database on the server side.

• If this process is completed without any problems, the cardholder is successfully authenticated. If not, the user is notified that authentication was unsuccessful.

One option for this authentication method is to eliminate the user validation by PIN entry, and instead let the server open up the card. This gives the solution a different profile and is then only card authentication, instead of user authentication.

A key advantage of this authentication method is that it uses memory cards, rather than microprocessor cards, which makes each card cheaper to produce and purchase.

Verified SSL/TLS authentication

Verified SSL/TLS authentication makes use of the standardized SSL/TLS protocol and a Public Key Infrastructure (PKI) in order to validate a user’s identity.

This authentication method can be used to achieve a very high level of security. For achieving high security it is recommended to use smart cards for storing and using the private keys. To use smart cards with this system, GemSAFE Libraries is a perfect fit.

Figure: Components in the verified SSL/TLS authentication method

During authentication:

• The user selects the certificate to be used from his/her certificate store, if more than one certificate is available from an issuing root accepted by the GAS.

• If the user selects a certificate located on a smart card through GemSAFE Libraries, GemSAFE Libraries will prompt the user to enter a PIN in order to allow access to the card. If the PIN is correct, the application is allowed access; if incorrect, the access is denied and the user is notified that an incorrect PIN was entered.

• During the authentication procedure, the client browser makes an SSL/TLS handshake with the GAS. During the SSL/TLS handshake, the GAS will validate the certificate the user is presenting, by checking that the certificate is issued from a trusted root.

• The GAS can also validate the status of the certificate by either looking in a Certificate Revocation List (CRL) provided by the issuer of the certificate or by an online check using the Online Certificate Status Protocol (OCSP).

• If the certificate is considered trustworthy, the GAS continues to map the certificate to a user identifier. The GAS can also validate the local status of this user in the system by checking the identity against a database or directory.

• If everything matches acceptably, the user is authenticated and allowed access to the system; if not, the user is notified.

©2004 Gemplus. All rights reserved. Gemplus, the Gemplus logo, GemLaunch and GemAuthenticate are trademarks and service marks of Gemplus and may be registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.