Technology

• Brief Summary
• Technology Advantages
• RESEPT Connection Agent
• RESEPT Server Appliance

Technology

Brief Summary

At its core, the TrustAlert "RESEPT" technology can be defined as: Upon correct strong user authentication, to on-demand create, securely deliver and automatically install a time-limited X509v3 client certificate in the client trusted certificate store.

Since virtually all network equipment support X509 as a valid authentication input, the user will only be granted access upon possessing a valid client certificate, issued only by your own RESEPT certificate authority. Since web servers often already make use of SSL server certificates, network administrators can now allow for a highly secure two-sided '2SSL' encrypted tunnel to be set up between your corporate network or services and your users.

Lastly, since the industry-standard X509 certificate resides in your usual certificate store, it can easily be used to perform other functions as well, such as digital signing, time stamping, etc...

Technology Advantages

In its core, the RESEPT technology is based on OpenSSL, giving the certainty that the Certificate Authority portion is robust and has been touroughly tested by experts all over the world. RESEPT has been designed to automate roll-out of short-life client certificates based on user data from your existing network identity store, and preferred user authentication method. By using existing identity stores, network administrators take full advantage of not having to change current user management tools and processes. Automation of short-life certificate roll-out also implies that security experts won't be spending any time on certificate creation, installation, replacement or even revocation.

Centralized key escrow (recovery) finally becomes possible due to the key material being generated on a secure RESEPT appliance, instead of on an uncontrolled user device. Allowing to actually bind users to trusted company-managed device or a pool of trusted devices significantly reduces your network security risks. The RESEPT appliance further supports using an existing CA tree, or can create its own dedicated one. Whichever choice is made, user experience will remain highly positive: the user will simply enter his username and password; RESEPT takes care of the rest!

RESEPT Secure Connection Agent

The RESEPT Secure Connection Agent is a tiny free-downloadable software package which is responsible for safely connecting to a RESEPT appliance and for securely installing incoming short-life X509v3 certificates in certificate stores without any further user intervention. The agent doesn't contain any secrets and can be freely re-distributed. it is currently available as either an installer or an API for several platforms, among which: Windows XP (32/64), Windows Vista (32/64), Windows 7 (32/64). Other platforms such as Mac OSX, J2ME capable mobile phones, iOS, Google Android etc can be made available upon request.

Should your user want to securely access any of your online resources, than all he/she needs to do is go to the predefined hot-URL [ie your company portal, or external services]. The browser will automatically trigger the agent when no valid client certificate is available. [Or you can also opt to start the agent manually.] Once started, the agent will simply request the user to enter his credentials.

As the agent makes use of TrustAlert's patented secure connection technology, the authentication credentials are completely safeguarded from the moment the data leaves the device till it reaches the RESEPT appliance [and vice versa]. The authentication stream also includes a unique on-the-spot-calculated device hardware footprint signature, as well as the results of the predefined URL reversed DNS-lookup.

When the RESEPT appliance has verified all credentials, the newly created client certificate is sent over the same secure connection and installed in all appropriate certificate stores. The agent is then automatically discharged until the short-life certificate becomes invalid.

RESEPT Server Appliance

The RESEPT Server Appliance has been designed to deliver on-demand certificates for millions of users at a rate which comfortably can cope with the speed of any back-end identity directory or database. It connects through secure LDAPS to any commonly-used identity store such as Active Directory, e-Directory and any other LDAP-compatible directory.

Although 1 Server Appliance may be sufficent to serve the needs of enterprises from any size, it can easily be made redundant or load-balanced by simply adding more appliances. This scalability is possible due to not having any file system changes occur on the appliance once configured. As a result, there is no need of frequent backups of server data.

The appliance will create a short-life X509v3 certificate when the following criteria are met:
• Authentication credentials are correct.
• Hardware signature is correct. [This check is optional]
• The locally resolved IP by the appliance of the predefined URL matches with the one resolved by the user client.

The RESEPT short-life certificate will contain an on-the-fly-generated unique key pair, as well as all standard attributes [Common Name, Organizational Unit, Country, E-mail, Time to live, etc], mapped from data in the identity store. By default, 1024-bit RSA keys are configured for client certificates, and 2048-bit RSA keys for the CA's.

Finally, once sent to the RESEPT Secure Connection Agent, the unique private key is either immediately discarded from the appliance, or kept for key roll-over or key escrow purposes on an external secure media.