Appendix 2 - 3DAS™ Identification and Irrefutability

To serve the blossoming world of business-to-business eCommerce expanded by the Internet, Unicate offers a unique means of identification and assurance of irrefutability.  The goal of the 3DAS™ mechanism is to assure that the corporations token was present, an authorized individual did agree and those are the instructions agreed.  3DAS™ is well suited to serve the needs of emerging Internet enabled applications such as

*   Analytics

*   Self service human resources

*   Cash management

*   Customer relationship management

*   Email

*   Order processing

*   Home banking

*   Enterprise resource management

*   Logistics management

*   Supply chain management

*   Money transfer

*   Strategic enterprise management

*   One to one marketing

*   Corporate knowledge management

*   Stockbrokerage

*   Sales force automation

All of these applications have one thing in common.  They access confidential corporate information or allow the execution of transactions that can have mission critical consequences.  Therefore, before an organization can consider enabling access via the Internet it is essential that there is adequate assurance that only authorized individuals have access and that any instruction given is prepared and authorized by the individual.

This being said security comes at a price.  Unicate believes that the cost of security must commensurate with the value of the asset in question.  More importantly, security should not subject the user to unnecessarily cumbersome procedures or the need to remember various account numbers and passwords.

The design of the Unicate solution allows clients, employees and partners, to use standard Internet browsers to connect through any insecure network to confidential and mission critical applications and knowledge. For the user, the solution is easy to use and only requires them to enter their first name, insert their 3DAS™-enabled Card and if security dictates, enter their PIN.  The user no longer is required to remember an account number and password associated with each system they access.

Behind a firewall are the Internet enabled corporate applications employed to provide the appropriate services to client, partner or employee “users”. 

The 3DAS™ solution involves installing a 3DAS™ Identification Server as the secure gateway between the public network and the corporations secure private network.  The goal, to provide a transparent interface allowing any Internet enabled applications to be accessed from anywhere without requiring any modification.  By eliminating the need to modify operational systems, assures the corporation's investment in training and application development.  The 3DAS™ solutions cost effectively assure that these same applications can exploit the ability of the insecure Internet to reach an ever larger population of mobile workers, strategic partnerships and self services business processes.

The 3DASä Environment

To achieve these goals the following is required:

*   A 3DASä Identification Server located in-between the public networks and the Intranet of organization. 

*   A 3DASä Reader with keypad connected to the user's computer and the 3DASä Plug-in connected to the standard Internet browser.

*   A 3DAS™ Marker inside a plastic card issued to the user.

*   A secure tunnel created using SSL or the stronger 3DASä Tunnel.

The 3DAS™ Identification Architecture

A user connects to the Internet and logs on to the corporations web site. 

1.        The 3DAS™ Identity Server determines that a 3DAS™ reader is present and formats the log-on screen. 

2.        The user is requested to insert their 3DAS™-enabled Card.

3.        The user enters their first name and a 3DAS™ FastKey is generated.

4.        A log on message is prepared and sent to the server.

5.        The user is identified and authenticated

6.        A welcome screen is prepared and applications he has access to are presented

7.        The user selects what applications they wish to access

8.        Eventually a transaction entry screen “Form” is presented to the user

9.        The user fills in the form

10.     Upon completion of the form a 3DAS™ Signature is created

11.     The transaction is transmitted to the server

12.     The Server validates the 3DAS™ Signature

13.     The form is returned to the originating application for processing.

14.     The user continues to work.

Leveraging the tools described in Error! Reference source not found. Unicate can offer irrefutable authenticity of identify, irrefutable transaction integrity, user centric confidentiality, ease of use and mobility.

3DASä Reader & 3DASä Plug-in

The 3DASä Reader is a secure device designed to afford protection over all of its functions and to protect the PIN and the generation of the 3DASä Signatures.

The 3DASä Reader and its associated 3DASä Plug-in has been designed as a plug and play standalone device that is either attached to the UTP port or PCMCIA slot.  Where required, the 3DASä Reader can also be inserted into an empty slot of a 3˝-inch diskette drive.  This unit can be provided with an integrated chip card reader and when required fitted with a secure PIN pad.

Each 3DASä Reader is capable of allowing any client possessing a 3DASä Card to access the organization’s services.  This unique capability offers mobility to organization’s clients.

The installation is easy, the user plugs the 3DASä Reader in to the USB port, the Plug & Play routine identifies the reader and requests the insertion of the install CD.  The rest of the installation process is automatic.  The 3DAS™ Plug-in is loaded and communication to the 3DASä Reader and Internet is tested.

At this stage, the 3DAS™ Reader and Plug-in are ready.  Whenever the Browser is operational, the Plug-in awaits a request from a 3DAS™ Identity Server to do something.

3DASä Identification Server – ID Server

The 3DASä ID Server contains all of the security, logic and controls necessary to manage the organization’s 3DASä Cards, client authentication, 3DASä Readers and the controls necessary to assure irrefutability.

The 3DASä ID Server offers a transparent window to the organization’s applications.  Only using the user's first name[1] and a four byte 3DAS™ FastKey, user’s identity is protected from eavesdroppers while it transits through a public network.

 Recognizing that components of the total environment are constantly evolving, the overall architecture of the 3DASä solution will have the ability to upgrade the 3DASä Plug-in installed with the customers PC or software housed within the 3DASä Reader.  These functions are integral to the operation of the 3DASä ID Server. 

The 3DASä ID Server supports a secure database the “3DAS™ ID Profile” that links the 3DASä Card to the user.  In this profile the linkage between the card and the account numbers and passwords for those applications, the user has access to, necessary to access the existing legacy applications. 

The 3DASä ID Server will transparently add data and instructions used to communicate with the 3DASä Plug-in and 3DASä Reader.  The secure server will then transmit these modified HTML pages to the user's browser.  It will await response from the browser that will contain information for the application and from the 3DASä Plug-in.  The Server will extract those elements sent from the plug-in and act accordingly.  Assuming all is well, it will pass the application specific information to the appropriate application. 

Unicate’s approach allows the organization to augment security without having to upgrade or modify any of their existing legacy systems. 

As an additional benefit the 3DAS™ ID Server can be used to implement a consistent look and feel to all of the organization’s applications again without impacting the existing legacy applications.  The 3DAS™ solution is mobile, easy to use, secure and capable of assuring consistency of brand image.

The 3DAS™ ID Profile

For each user the 3DAS™ ID Server maintains a 3DAS™ ID Profile.  This profile contains the 3DAS™ Key, the first name & 3DAS™ FastKey, the proper name and other appropriate reference information.  It then contains a series of associated records that link the 3DAS™ Card to each of the applications this user is granted access to.  These records maintain any logon information or other static data needed to complete the log-on form.  Where corporate applications require periodic change of password, specific modules capable of executing password change will perform this function independent of the user.

When preparing the User’s 3DAS™ Card their database record is created.  The first action is to enter the 3DAS™ Key and other user specific reference information such as the first name.  During user initialization, the account number and password information of each application, the user currently has access to, is loaded into the database. 

The database requires routinely maintenance.  As new applications are made available or the user is no longer allowed access then the updates are made.  From an administrative perspective, by removing the user for the 3DAS™ ID Profile all access can be immediately restricted.

The User at Work

From any location, with a 3DAS™ Reader the user is assured of secure and irrefutable access to the partner, employer or vendor's systems.  All they need to do is enter the URL of the corporation.  The corporate server responds by sending it home page and including a message designed to determine if a 3DAS™ Reader is present.  Assuming the 3DAS™ Plug-in positively responded the 3DAS™ ID Server is passed control and prepares a log-on screen.

When the browser receives the login screen, it passes control to the 3DAS™ plug-in.  Through a 3DAS™ plug-in window the plug-in requests the user to enter their first name and optionally a PIN.  Using information contained in the log-on message, the first name, date and the time the plug-in prepares a Hash.  The PIN and the Hash are sent to the 3DAS™ Reader who responds by reading the 3DAS™ Card and returning a 3DAS™ Signature that includes the PIN.  This information is encapsulated in a particular format and returned to the server.

The 3DASä ID Server receives the message and uses the first name & 3DASä FastKey as the index to the user’s 3DAS™ ID Profile.    Employing the same mathematical function used to create the 3DASä Signature, the secure 3DASä ID Server authenticates that the 3DAS™ Card is registered and that the user knows the PIN.

Knowing that an authentic user with a registered and active 3DAS™ Card is present, the 3DAS™ ID Server employs the 3DAS™ ID Profile to produce an application selection page. By simply clicking on the application, the user selects application they wish to access.  The 3DAS™ ID Server prepares the necessary login message and connects to the application on behalf of the user.  The application then formats the queries, execution forms and information displays as it does today.  Upon receipt, the ID Server imposes the corporate look and feel to the page and sends it to the user’s browser. 

In the event the screen is requesting input of information that is of a transactional nature the 3DAS™ ID Server will also include a request to the 3DAS™ Plug-in to arrange to have the 3DAS™ Card sign the transaction. 

If the application is simply displaying data the 3DAS™ Plug-in is passive.  In the event that the 3DAS™ ID Server requested that the user’s response be signed, it awaits completion by the user and, just before transmission captures the data, prepares a Hash and requests the 3DAS™ Reader to read the 3DAS™ Card and sign the transaction.

The 3DAS™ Reader produces the 3DAS™ Signature and returns the 3DAS™ Signature and the 3DAS™ Unique Transaction Serial Number to the 3DAS™ plug-in.  The 3DAS™ Plug-in appends this information to the message and sends it to the 3DAS™ ID Server.  The ID Server is now in a position to validate the integrity of the message, the authenticity of the user and produce a log that can be used to assure irrefutability in the event of a dispute.

If the message is authentic and irrefutable, the 3DAS™ specific information is stripped off and the application receives the user input information as it originally request.

The application can now execute in the knowledge that the transaction is irrefutable, the source of the instructions are confidential, the user is authentic and the identity and the content of the message was sent unaltered by that particular user.

Data Confidentiality

Many services that corporations want to make available require that confidential information be transmitted to the user over the insecure Internet.  For most, this is an unacceptable proposition.  Several mechanisms are available to solve this problem.  Unicate recommend is that SSL be used, as the default option, given that it is already available in the browsers, is recognized by most users and offers a reasonable level of security.  In the event that the corporation wishes to introduce an enhanced level of security then both the 3DAS™ Reader and the 3DAS™ ID Server can be configured to support this much more robust means of assuring data confidentiality.

By employing 3DAS™, the user will have secure access to all corporate services.  The corporation will be safe in knowing that they have irrefutable proof of identity and of the instructions input by that particular user.  Furthermore, the solution is mobile and can operate from any 3DAS™ enabled mobile location capable of connecting to the Internet.

horizontal rule

[1] In the event that the user does not wish their name, it is possible to use any value the user wishes.