Gemplus Authentication Server

The Gemplus Authentication Server (GAS) is standalone software server that authenticates smart cardholders over a network.

The level of security can be configured according to the requirements in the specific system. Based on the level of security required, the customer is able to select the appropriate authentication method for a specific Web resource. The authentication methods available are discussed further under “Authentication within GemAuthenticate”.

The GAS uses a challenge-response protocol to authenticate users. Users attempting to authenticate must be registered in a database controlled by the GAS. This data will be utilized during the authentication process in order to verify the identity of the user. The databases that currently interface with GAS are:

• Lightweight Directory Access Protocol (LDAP)

• SQL

• MS Active Directory

• Text files

An API is also provided, which allows third party database products to interface with the GAS.

A brief functional overview of the GAS operation is illustrated in the below diagram.

Figure: Authentication process

A powerful feature within the GemAuthenticate system is that of “inter-domain authentication”. This refers to the ability of one GAS to authenticate servers from more than one domain. An example of this is illustrated in the diagram below.

Figure: Inter-domain authentication

The owner of domain A.com is a partner of the domains B.com and C.com. Users on B.com can be redirected to the GAS located at A.com, in order to receive a credential that allows them to access resources on B.com. Furthermore, if users attempt to access resources on C.com, they are redirected to A.com, where they can receive a valid credential for this domain as well. However, users of D.com cannot access resources on A.com, as they are not trusted by the GAS located there. This feature provides reliable user security across the Internet.

It is also possible to implement Single-Sign-On (SSO) functionality amongst domains, enabling users to roam from site to site without the need to re-authenticate.

Gemplus Authentication Module

The Gemplus Authentication Module (GAM) is a software component that can be easily integrated with a Web application server in order to protect it against unauthorized access. It acts as a gatekeeper for a Web application server by verifying access rights of each user-request. When a user tries to access a resource on a particular server, the GAM checks that the user-request possesses the credentials necessary to do so. If a user-request do not have the credentials necessary to view the resource, the GAM automatically re-directs the user to the GAS, where the user can get the proper credentials by authenticating to the GAS.

Figure: The role of GAM

The GAM is compatible with the most important subset of Web application servers, including Apache Web Server, Microsoft IIS and iPlanet/Netscape Web Server. Together these Web application servers enjoy a 90.4% market share (NetCraft Web survey August 2002).

Gemplus Access Gateway

The Gemplus Access Gateway (GAG) secures Web portals and PKI-enables existing legacy applications. It is a high performing SSL gateway with extended PKI (Public Key Infrastructure) capabilities that can be used by any client-server application to achieve strong encryption, revocation control and PKI-based access control.

Gemplus Access Gateway is based on an implementation of the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocol that is a global de facto standard for network encryption as well as the most frequently used security solution for Internet commerce. The GAG provides a platform for a generic TLS/SSL server side tunnel that can be applied to any static TCP-protocol, such as HTTP, Telnet, POP3 and ICA.

The Gemplus Access Gateway is an alternative to the Gemplus Authentication Module.

Figure: GAG process

Gemplus Authentication Client

The Gemplus Authentication Client (GAC) is browser-based client software that performs the vital function of providing the cardholder with an interface to the GemAuthenticate back-end system.

The GAC prompts for and validates user input, providing status information and card data retrieval.

By retrieving the relevant credential information needed for authentication, and then relaying this data back to the correct source inside the system, the GAC acts as an intermediary between the user’s card and the rest of the GemAuthenticate system,

The GAC is compatible with all the major Internet browsers on the market, including Microsoft Internet Explorer, Netscape Navigator and AOL.

The GAC is very flexible product where all user interfaces are customizable for each identity provider – authentication server (GAS).

The GAC has a built-in Web Update function, which keeps the installed product up to date.

Figure: GAC connectivity within GemAuthenticate

GemLaunch

Figure: GemLaunch process: 1. Card inserted into reader. 2. Contact URL Broker. 3. Pointer to start site received. 4. Start Web browser and point it to start site.

©2004 Gemplus. All rights reserved. Gemplus, the Gemplus logo, GemLaunch and GemAuthenticate are trademarks and service marks of Gemplus and may be registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.