TruePass Assures a Safe Journey for Internet Transactions

The full Entrust product suite offers primary security services for Web-based transactions, including authentication, authorization, privacy, nonrepudiation and encryption. TruePass lets a user digitally sign a Web transaction to bind the user to the transaction for nonrepudiation and dispute resolution.

TruePass can be applied to B2B and B2C scenarios. A company with an extranet capable of processing purchases could use TruePass. For example, TruePass could be used by health care organizations to authenticate doctors and patients submitting highly sensitive medical information over Internet connections where strong encryption and nonrepudiation are essential.

Not Standalone

Entrust TruePass is not a standalone product. TruePass requires Entrust Authority Security Manager (formerly known as Entrust Authority) to provide CA (certificate authority) services at a minimum. Entrust Authority Security Manager also requires a directory server. It can use Sun iPlanet, Siemens DirX, Microsoft Active Directory and Critical Path. Critical Path was bundled with TruePass for this review.

TruePass uses the following servlet engines on the back end: Macromedia JRun, IBM WebSphere or BEA Systems WebLogic. You can run Entrust SAS (Self Administration Server) on the same engine to provide automatic enrollment and recovery, or you can let users revoke their certificates.Some of the more interesting features of TruePass include extended platform support, client-side key generation, and an increased number of authentication and digital ID storage options, such as support for roaming users using smartcards and transparent client downloads.

The Entrust Truepass 6.0 release extends platform support to Sun Microsystems Solaris 8, Microsoft Windows 2000 Advanced Server, WebLogic Server 6.1 SP2, Websphere advanced and single server editions 4.0.1, JRun 3.1 Professional, and Active Directory (NTLM and LDAP modes).

TruePass does not require Entelligence, the fat client used to provide encryption and digital signatures for applications such as secure e-mail and Adobe Acrobat. TruePass differs from Entelligence in that it requires no client-side software to be installed and provides functionality to Web-based applications. It also provides authentication for VPN extranet clients, such as those from Nortel Networks and Cisco Systems, as well as providing a facility for desktop and workgroup encryption.

My lab environment comprised three PCs loaded with Windows 2000 Professional SP1. The install process took several hours because of the multiple-layered components, but client-side operations were easy to navigate and use once in place.

I installed Entrust TruePass Server and Entrust SAS on the first PC. On the second PC I installed Entrust Authority Security Manager and Entrust Authority Roaming Server. The third PC acted as a Web client and was installed with a card reader. I installed Microsoft Internet Explorer 6 with the high encryption pack on the Web client. My first inclination was to install a more recent service pack on the servers, but the Entrust Authority server leverages an Informix database that requires SP1, according to Entrust. I was disappointed with this limitation.

Speedy Results

In my tests, I chose the smartcard option to store the digital ID. I installed a Schlumberger USB Reflex reader on a laptop running Windows 2000 Professional SP1--a breeze as the drivers are native to that OS--and to Windows XP. Storing the credentials on the card during the registration process before authentication took less than five minutes, compared with several hours of layered server installs on the other PCs. Once the card was inserted and prompted to access Web data, the credentials successfully authenticated the client PC and granted access to the Web site.

For test purposes, I created a flat text file containing user IDs and passwords. In a production environment, an encrypted database such as Protegrity might be used.From the Web client PC, I connected to the SAS URL and selected the "Zero Footprint Client Side Operations" option--the menu options can be customized to your company preferences. At this point I had to choose from three different credential storage options: software-based roaming credentials using SPEKE (Simple Password-authenticated Exponential Key Exchange) protocol, file system-based credentials or Microsoft Crypto API (CAPI), which is called "MS Security Framework" by default on the SAS customizable menu. CAPI contains two suboptions: storing credentials in the registry or on the smartcard.

Next, I selected the "Create Windows Security Framework User" option to store the TruePass credentials in CAPI and entered credentials that matched the shared secret text file. I also checked the option to put the credentials on the smartcard. The SAS server then verified the shared secret and triggered the SAS applet to begin key and certificate generation. The enrollment applet generated the private signing key and stored it on the Schlumberger card. I was also prompted to enter on the smartcard a PIN, which adds another level of authentication.

The applet then used the credentials (the private key) to digitally sign the challenge string that the servlet presented. After the challenge string was verified, a digitally signed session cookie was issued. According to Entrust, this session cookie could be presented to any TruePass-protected Web server in that domain or in affiliated domains. This feature would allow companies to protect back-end resources beyond the Web server.

Transaction Signing

The demo application provides a "Transaction Signing" option, which I selected. I was asked to fill out a sample stock purchase request and submit to the Entrust TruePass servlets. The result returned to the TruePass servlet was a read-only confirmation page for the transaction. The TruePass servlet made a copy of the confirmation and forwarded a copy to the applet. If you agree to sign the returned read-only transaction page, your digital signature is added to the HTML document, and the servlet compares the unsigned copy of the HTML page to verify that it has not been modified. If the pages match, the servlet adds its own signature to the read-only form as well. This double-signed confirmation page is sent to the transaction server and can be used later for nonrepudiation.The user completes a form with sensitive information and clicks "encrypt." The applet then retrieves the back-end target server certificate and encrypts the form. The applet submits the form to the back end, and, as the form travels through the back end it cannot be decrypted until it reaches the target server.

Entrust TruePass can provide strong identification, verification and privacy for Web-based applications. With proper planning, this product is well-equipped to secure portal access using end-to-end encryption.

Mike Dalton is a security engineer at a Fortune 500 insurance company in North America. Send your comments on this article to him at [email protected].