Press Release Summary:
Specifications simplify secure integration of one-time password methods into enterprise applications and infrastructure. These provide technology solutions vendors with greater ease and flexibility in integrating support for wide range of OTP methods, including time-synchronous, event-synchronous, and challenge-response solutions. Specifications will deliver enhanced security and greater simplicity in authentication. Users can choose type of credential method that is most suitable.
Original Press Release:
RSA Security Releases Open Specifications for Integrating One-Time Password Methods
Proposed Standards Deliver Flexibility and Choice in Integrating One-Time Passwords with Enterprise Applications and Infrastructure
RSA® CONFERENCE 2005/SAN FRANCISCO, Feb. 15 -- RSA Security Inc. (NASDAQ:RSAS) today announced the release of five open specifications to simplify the secure integration of various one-time password (OTP) methods into enterprise applications and infrastructure. A sixth specification is expected to be released shortly. As strong authentication evolves into an enterprise-wide solution rather than a point deployment, one- time passwords must be easily integrated with applications. These open specifications -- available for public review and comment -- will provide technology solutions vendors with greater ease and flexibility in integrating support for a wide range of OTP methods, including time-synchronous, event- synchronous and challenge-response solutions. Technology leaders such as Adobe Systems, Check Point Software Technologies, Cisco Systems, Funk Software, iPass, Juniper Networks, Meetinghouse and Microsoft have endorsed this effort.
The specifications will be submitted as appropriate to established standards bodies, such as the Internet Engineering Task Force (IETF) and the Organization for the Advancement of Structured Information Standards (OASIS). The EAP-POTP specification, for example, already has been submitted to the IETF for review. These specifications build on RSA Security's long- established role as a champion of industry-wide standards, such as Public Key Cryptography Standards (PKCS), Security Assertion Markup Language (SAML) and Web Services Security: SOAP Message Security.
Organizations increasingly deploy OTP-based strong authentication solutions to ensure that only authorized users are able to gain entry to remote access, enterprise, partner, and consumer resources. These open specifications will facilitate the broader adoption of strong authentication through simpler, more cost-effective integration of one-time passwords with enterprise applications and infrastructure. For businesses, vendor adoption of these open specifications will deliver enhanced security, reduced deployment costs, and greater simplicity in authentication. Businesses also will benefit from the ability to choose the type of credential method that best serves the organization.
To further industry collaboration on these proposed specifications, RSA Security is following the same proven process as when the company introduced PKCS in 1991 -- documents that have since become widely referenced and implemented. The initial set of six open specifications related to the integration and management of One-Time Passwords (collectively referred to as the One-Time Password Specifications documents), is coordinated online at www.rsasecurity.com/rsalabs/otps and available for public review and feedback. The specifications will be developed further through mailing list discussions and workshops, with details available from the OTPS website, and will be submitted to standards bodies as appropriate.
Details on One-Time Password Specifications
Historically, one-time password solutions have involved end-user devices (tokens) that are not connected to the network or to a client. The end user reads the one-time password from a display and then enters it into a client. While this disconnected approach delivers high portability, enterprises are becoming interested in also supporting connected OTP tokens, which deliver increased ease of use and flexibility by enabling a user to authenticate simply by connecting the token (e.g., through a USB connector). Several of the new OTP specifications are focused on support for connected tokens, while others are relevant to both connected and disconnected tokens.
The proposed and planned specifications address critical components of OTP technology integration and management, including the initialization of OTP credentials, and the retrieval, transport and validation of one-time passwords. In addition, the proposed specifications also address the five key areas related to credential lifecycle management: creating, storing, managing, proving and leveraging credentials. The new OTP specifications fall into the following three basic areas:
o One-Time Password Credential Provisioning: One-time password solutions require that an end user's token and an enterprise's back-end server share the same credential, which is used to generate the one-time password. The combination of connected tokens and the Cryptographic Token Key Initialization Protocol (CT-KIP) specification will simplify this credential provisioning, enabling companies to save time and money, while also increasing security.
Specifically, the protocol enables the token and the server to
create and use the same shared credential, without sending it to
each other, and without requiring private-key capabilities in the
token or an established public-key infrastructure.
o One-Time Password Retrieval: OTP retrieval specifications are focused on making it straightforward for more vendors to support connected one-time tokens -- enabling end users to harness the benefits of connected tokens, particularly not having to manually enter one-time passwords. By basing OTP retrieval on well-known and widely implemented cryptographic token interfaces (PKCS #11 and CAPI), the OTP-PKCS #11 and OTP-CAPI specifications provide the greatest ability to simply integrate connected OTP tokens with various applications.
o One-Time Password Transport and Validation: It is critical that integration of one-time passwords with enterprise applications and infrastructure provide the ability to enter an OTP for authentication, and for the application/infrastructure to pass the OTP across the network to a validation server. Traditionally, this integration has been accomplished through proprietary APIs or through the use of an authentication method within RADIUS. Three of the new specifications are intended to make it possible to more easily integrate OTP authentication, providing end users with the ability to strongly authenticate into more applications.
In addition, open specifications for the transport (One-Time Password Web Services Security Token) and validation (OTP-Validation Service) of OTPs within Web services protocol environments will remove the integration obstacles presented by current, proprietary solutions.
Similarly, protected one-time password EAP (EAP-POTP) can be used to provide unilateral or mutual authentication, and key material, in protocols utilizing EAP, such as PPP, IEEE 802.1X and IKEv2. EAP-POTP is complementary to, but independent of, EAP tunneling methods such as PEAP, TTLS, and EAP-FAST.
"RSA Security supports the technology industry's call for nonproprietary specifications that allow vendors to easily integrate OTP technology with enterprise applications," said Victor Chang, vice president of technology at RSA Security. "Standardization on common integration methods enables both application and authentication vendors to gain maximum leverage, which ultimately benefit businesses worldwide as they adopt strong authentication throughout enterprises and in online commerce."
Technology Industry Validation
Leading technology companies have endorsed the effort to deliver a standards-based framework for integrating one-time passwords with enterprise applications and infrastructure:
Adobe Systems: "As businesses begin to deploy strong authentication more broadly across the enterprise, these organizations must be able to easily integrate one-time passwords with their popular desktop and server applications," said John Landwehr, director of security solutions and
strategy at Adobe. "Adobe is pleased with RSA Security's initiative for delivering open specifications, and we look forward to working with RSA Security to continue to evolve powerful and easy-to-use authentication mechanisms for access control and rights management in electronic document workflows."
Check Point Software Technologies: "Providing nonproprietary methods to integrate any significant emerging technology is the best way to fuel its adoption," said Paul Weinstein, vice president of business development at Check Point Software Technologies Ltd. "RSA Security's proposed open specifications for one-time passwords will serve the IT security industry by enabling technology solution vendors to integrate one-time password technology throughout the enterprise."
Cisco Systems, Inc.: "Cisco is pleased to see these proposed One-Time Password (OTP) specifications, as they will allow the security IT industry to deliver more secure access solutions of greater value at a lower cost for our customers," said Bob Gleichauf, chief technology officer for Cisco's Security Technology Group.
Funk Software: "The proposed specifications should make it easier to integrate support for one-time passwords into enterprise applications," said Paul Funk, president of Funk Software, a leading developer of network access security solutions. "One-time passwords provide very strong authentication security, an important capability for customers who are managing increasingly complex network access infrastructures.
Whether users connect to the network via wireless or wired, from a remote site or on-site, OTP provides the strong security that lets enterprises better protect their critical business assets."
iPass: "Open specifications for the initialization of credentials, along with the retrieval, transportation and validation of one-time passwords, will enable iPass to better serve our business customers as they deploy strong authentication solutions across the enterprise," said Roy Albert, CTO of iPass Inc. "iPass plans to leverage these specifications as we work to deliver stronger authentication support, particularly in the context of one-time passwords."
Juniper Networks: "The proposed one-time password specifications will better-serve the IT security industry by providing non-proprietary methods of integrating OTP solutions as customers deploy strong authentication throughout the enterprise," said George Riedel, VP of strategy and corporate development at Juniper Networks. "Juniper expects to utilize these specifications to ensure that our technology solutions
are able to easily, securely and cost-effectively integrate with
customers' one-time password technology."
Meetinghouse: "The new open specifications from RSA Security provide technology companies like Meetinghouse with an effective way to support a full range of current and future OTP solutions," said Dr. Paul Goransson, president of Meetinghouse. "Meetinghouse supports the RSA Security effort to provide open solutions that deliver the strong network security with ease-of-use required by enterprise users."
Microsoft: "Customers have told us that interoperability across security solutions is a critical requirement," said Rich Kaplan, corporate vice president for the Security Business & Technology Unit (SBTU) at Microsoft Corp. "Microsoft supports all our partners' efforts to provide open solutions that deliver the greatest value to business customers and support strong authentication deployments."
RSA Security Support of Specifications Within its Own Products
Demonstrating the company's support for these open one-time password specifications, RSA Security plans to integrate these methods into RSA SecurID® technology, a market-leading strong authentication solution. Future versions of RSA Security's client for connected RSA SecurID tokens, RSA® Authentication Manager and RSA® Authentication Deployment Manager will support these proposed open specifications. This support will enable RSA Security customers to more easily and cost-effectively integrate and deploy OTP-based strong authentication.
About RSA Security Inc.
RSA Security Inc. helps organizations confidently protect identities and information access. The company secures more than 15 million user identities, safeguards trillions of business transactions annually, and manages the confidentiality of data in tens of thousands of applications worldwide. RSA Security's portfolio of award-winning solutions -- including identity & access management, secure mobile & remote access, secure enterprise access, secure transactions and consumer identity protection -- sets the standard in the industry. Our strong reputation is built on a 20-year history of ingenuity, leadership and proven technologies, and our more than 17,000 customers around the globe. Together with more than 1,000 technology and integration partners, RSA Security inspires confidence in everyone to experience the power and promise of the Internet. For more information, please visit www.rsasecurity.com.
CONTACT: Roger Fortier of McGrath/Power Public Relations,
+1-408-727-0351, or firstname.lastname@example.org, for RSA Security Inc.; or Dave Howell of RSA Security Inc., +1-781-515-6303, or email@example.com