Gemalto - Protiva Strong Authentication | Protiva OTP - how it works

Protiva Strong Authentication Server

		INFO & KNOWLEGDE

The Gemalto two–factor authentication solution is a three-tiered system, each tier consists of one or more components.

- The smart card tier – Smart card device capable of generating one time password (OTP) credentials in various form factors: stand-alone device, connected device, smart card, GSM phone.
- The client tier – PC with an end-user application capable of accepting OTP credentials (such as a Web browser).
- The server tier – back-end running one or more servers for authentication and other applications, and administrative “Customer Care” portals for system and user management.



	Protiva Strong Authentication Architecture source: Gemalto

The server tier does the heavy lifting of user authentication and system management, and can be configured to handle basic-to-complex implementations, depending on system requirements. A basic implementation of the server tier consists of one or more physical machines hosting two main components: a Web application server and an SA Server. The application server interacts with client machines across the Internet to provide the front-end Web interfaces. It interacts with the SA Server by submitting authentication requests, receiving authentication results, and granting or denying access to other host resources. In reality, the server tier is usually more complex:

In most practical deployments, the back-end has one or more authentication entry points, for example, a Web application server and a Remote Authentication Dial-In Server (RADIUS) server.

In addition, a separate server is usually deployed to host the user database with all or partial sets of the attributes required for authentication, such as lightweight directory access protocol (LDAP).

A dedicated hardware security module (HSM) may be connected to the SA Server to hold cryptographic keys and perform operations with them.



	Protiva Back End Architecture source: Gemalto

Web Application Integration

Protiva SA can be fully managed via WebAPI, so there is a full integration in your own web application possible.

The SA Server web service API is an XML over HTTP API which allows you to perform
functions like the following:
- Get a list of all users/OATH or EMV devices/roles/OATH or EMV policies/keys
- Search for a list of users or devices, filtered by some criteria
- Get info for a specified user/OATH or EMV device/role/OATH or EMV policy/key
- Create a user/OATH or EMV device
- Update a user/OATH or EMV device
- Block a user/OATH or EMV device
- Unblock a user/OATH or EMV device
....

All API calls requires a J2EE session to be established via an authentication request. A
successful authentication will return a cookie: JSESSIONID=[some hex string]. You
must include this cookie in the header of the subsequent HTTP requests to the API for
proper authorization.

Live Provisioning

SA Easy OTP Token, which work only in unconnected mode don't need provisioning files from Gemalto for activation in an Protiva SAS, but can be done via Live Provisioning.

Live Provisioning works with a contactless reader with its driver (Live Provisioning Kit) and an ActiveX component used to communicate with the SA Server. The Live Provisioning is performed in the Customer Card Portal. Live provisioning is performed by placing a smart card device on the contactless reader, pressing the refresh button for the device being detected and then the Provision (or Reprovision) button in the Customer Care Portal. This live provisioning
writes a new shared key and a specific device menu to the device and resets the event counter.

The Provision function writes a new identifier (Token ID) that is unique for the SA server. The new device is in the “Initialized” state. The Reprovision function keeps the existing identifier (Token ID) and so keeps all the
links made to this device.

		DOWNLOADS

	Protiva SA Server Brochure
	Protiva SA Devices Brochure
	Smart Enterprise Guardian
	To get protected by Protiva - Gemalto movie
	Strong Authentication Demo Site by Gemalto
	Protiva Site by Gemalto

Gemalto - Protiva SA In a world where securing network identities are key success factors for enterprise business operations, Gemalto brings Protiva, a packaged offer for enterprise network security based on One-Time-Passwords, generated by .NET smart cards from Gemalto.

Protiva Licencing Protiva Stong Authentication Licences are usually bought together with the hardware token. There is no extra server licence for Strong Authentication Server.

Protiva OTP - how it works There are 2 OTP algorithms supported by Protiva SA Server, OATH and CAP. How it works on client side?

Prerequisites and supported third party products

Operating system:
- Windows Server 2003
- Linux Enterprise Dist. (Redhat, Suse,)
- IBM AIX (5.3 64bit)

Web Application Server:
- Apache Tomcat 5.5.x (5.5.17 used in reference implementation)
- IBM Websphere (on AIX)

Database:
- Firebird 2.0 (used in reference implementation)
- MySQL 4.1.x, 5.0.x
- MS SQL Server 2005
- IBM DB2 Enterprise 9
- Oracle 9.2.0.1

LDAP Servers
- Windows AD
- Novell eDirectory 8.7., 8.8.

Java Runtime
- Sun J2SE 1.5.x JRE (1.5.07 used in reference implementation)
- IBM Java k 64bit (on AIX)

SSM / HSM
- Sun JCE, IBM JCE (on AIX)
- nCipher HSM (nShield, netHSM)
- Bull HSM