1px

FAQ

  1. What is Protiva?
  2. When will Protiva be available?
  3. Why is there a need for this product?
  4. Why is two-factor authentication beneficial?
  5. Why are smart cards secure?
  6. What does the Protiva range of solutions consist of?
  7. Where can Protiva be used?
  8. How does Protiva work in stand-alone mode?
  9. How does Protiva work in connected mode?
  10. What markets does Gemalto serve with this product?
  11. How does this product benefit financial institutions?
  12. How does this product benefit the enterprise?
  13. How does this product benefit healthcare providers?
  14. Can any other smart card applications be used with Protiva?
  15. What standards does Protiva support?
  16. Why is it beneficial to adhere to such standards?
  17. Does Protiva position organizations for better compliance with financial regulations?
  18. Who is using smart cards?
  19. Is a server required for this application?
  20. What are Phishing and Pharming?
  21. How does protiva bring more security than traditional passwords?
  22. What are the three most common authentication factors?
  23. How does an OTP solution work?
  24. Is the solution proposed by Gemalto Time-based or Event-Based?
  25. What is OATH?
  26. What did OATH specify so far?
  27. Do I have to pay anything to use this algorithm?
  28. Is Gemalto a member of OATH?
  29. Where can I find more information about OATH?
  30. What are the differences between OATH, EMV, and CAP?
  31. Will Gemalto OTP solutions work with all Gemalto cards?
  32. Will Gemalto OTP solutions work with all GSM handsets?
  33. Does Gemalto also provide the server?
  34. What are AAA and IdP servers?
  35. What kind of server is required? A simple windows platform? Or Unix?
  36. When will I use my OTP application?
  37. Do I need to download additional software to my computer for the applications to work?
  38. How do I obtain the application for the computer?
  39. What is the Size of the OTP applet?
  40. Can an EMV banking card be used as the token, with the OTP applet loaded and accessed via the SCA 350 or 370 devices? If so, which of our cards?
  41. If using the OTP applet on a mobile phone SIM, will it work with any handset?
  42. Which of the Gemalto SIM/USIM products does the applet work with?
  43. What is the expected model by which the applet is loaded into the SIM: OTA? SIM replacement?
  44. Are any third-party backend OTP servers supported? If so, which ones?
  45. What is the integration interface between the authentication server and the OTP backend?
  46. What is involved in backend implementation?
  47. What are the features of the OTP backend server?
  48. How many maximum total users can the backend support?
  49. What is the maximum simultaneous user authentication rate that the backend can support?
  50. How is the backend scaled up in terms of the above two considerations?
  51. How is redundancy/failover handled in the backend? What is the expected availability of the backend?

Q. What is Protiva?

A. Protiva is a packaged offer of enterprise security solutions. It enables two-factor authentication to protect network identities and information. Today, the Protiva offer is made of two main components: Protiva Strong Authentication solution and the Protiva .NET solution. Both solutions rely on smart card technology, which has proven over decades its security robustness, leverage of open standards, interoperability and ease of use in massively deployed applications such as banking and mobile telephony. Gemalto has applied this expertise to the problem of managing network identities. Protiva protects identities, defends against phishing attacks and takes information system security to the next level.

<back to top>

Q. When will Protiva be available?

A. Protiva is available now.

<back to top>

Q. Why is there a need for this product?

A. The recent rise in phishing attacks and identity theft has increased the need to protect online identities. Protiva protects identities and when used in the connected mode defends against phishing attacks by detecting fraudulent sites. When the Protiva device is directly connected, typically via USB, it offers the convenience of automatically sending the user network identification credential to the authenticating server automatically without manual input, and all that is required on the PC is a client browser plug-in.

Password resets are typically one of the largest drains on help-desk resources. They are neither an acceptable solution for regulatory compliance nor an effective counter to internal and external threats. With Protiva, an external device – a smart card – is used for two-factor authentication security.

<back to top>

Q. Why is two-factor authentication beneficial?

A: Two-factor authentication greatly enhances network security by combining something the user has, such as a personal device, and something the user knows, such as PIN code. Gemalto uses these elements with Protiva to form a unique combination that someone must have to connect to the network.

<back to top>

Q. Why are smart cards secure?

A. Smart cards feature a small embedded chip which operates as a "mini-computer" that not only securely stores data but also can process information and react to its environment. These features give smart cards the unique ability to provide secure, portable access to personalized services while protecting each user s privacy and identity.

<back to top>

Q: What does the Protiva range of solutions consist of?

A: The Protiva offer is made of the Protiva Strong Authentication solution and the Protiva .NET solution. Each one consists of a range of security devices offering multiple authentication methods with various form factors. Organizations deploying Protiva can choose between full-sized smart cards or small "cardlets", which are small cards about the size of a postage stamp. Cardlets are what put the power of a smart card in Gemalto's Smart Card Enabler (SCE) token devices.

<back to top>

Q. Where can Protiva be used?

A: The Protiva offer brings end-to-end solutions that provide the flexibility to securely establish a user's network identity at home, at work or on the road. Therefore, Protiva devices have been designed for use in either stand-alone or connected modes.

<back to top>

Q: How does Protiva Strong Authentication work in stand-alone mode?

A: When used in stand-alone mode, the user simply presses a button on the thumb-sized Protiva Strong Authentication device. The built-in display then shows an eight digit one-time password, which the user enters directly into the remote network application via keyboard, or via a PDA or telephone keypad.

<back to top>

Q: How does Protiva work in connected mode?

A: When the Protiva device is directly connected, typically via USB, the user network identification credential is sent to the authenticating server automatically without manual input. In the connected mode, the Protiva solution provides protection against phishing by detecting fraudulent sites.

<back to top>

Q: What markets does Gemalto serve with this product?

A: Gemalto, with its global network of solution partners and system integrators, will bring Protiva to enterprises, financial institutions and e-commerce portals.

<back to top>

Q: How does this product benefit financial institutions?

A: With Protiva and the power of smart card technology, financial institutions will protect both users and business assets by eliminating the vulnerabilities of passwords and creating a trusted network environment.

<back to top>

Q: How does this product benefit the enterprise?

A: Use of Protiva will allow enterprises to ensure that employees can securely access company information and networks both locally and remotely.

<back to top>

Q: How does this product benefit healthcare providers?

A: With Protiva and smart card technology, healthcare providers benefit from a fast, secure and mobile access to their system. That saves precious time for their patients and enable them to comply industry regulations on patient records privacy.

<back to top>

Q: Can any other smart card applications be used with Protiva?

A: Because Gemalto's proven smart card technology is the core of the new product line, virtually any traditional smart card application is compatible with Protiva including public key infrastructure (PKI), single sign on and contactless physical access.

<back to top>

Q: What standards does Protiva support?

A: Gemalto's Protiva suite supports internationally recognized standards such as Universal Serial Bus (USB), ISO 7816, Open Platform and Java Cards. In addition Protiva supports the U.S. Federal Information Processing Standards (FIPS) and Common Criteria certifications. Protiva is also compatible with the Open Authentication (OATH) specification for one time password (www.openauthentication.org). Over time, Gemalto plans to extend the Protiva suite to other industry authentication standards.

<back to top>

Q: Why is it beneficial to adhere to such standards?

A: Adherence to recognized standards such as these ensures interoperability, lower costs to implement and maintain and compatibility with future platforms.

<back to top>

Q: Does Protiva position organizations for better compliance with financial regulations?

A: Regulations such as Sarbanes-Oxley in the United States., Loi de Securite Financiere in France, Tabaksblatt in the Netherlands, etc. put strong requirements on financial reporting for publicly traded companies. Similar requirements have been put on health, government and social security programs with the Health Insurance Portability and Accountability Act (HIPAA) in the United States, Commission Nationale Informatique et Liberté (CNIL) in France, etc.

Gemalto applied its expertise and experience with microprocessor cards and their applications to create a product that would bring the convenience of cost-effective personalized security to these domains. Using Protiva can help these sectors to meet requirements by providing security and privacy-sensitive access to information.

<back to top>

Q: Who is using smart cards?

A: In the federal government, the Department of Defense (DoD) uses smart card technology for the Common Access Card (CAC). Gemalto is a prime supplier of smart cards to the DoD. The U.S. federal government expects to expand its programs to issue smart cards for strong authentication and as highly secure identity credentials, and is moving closer toward the goal of a common identity credential for both physical and logical access control across all of its branches.

On the corporate side, Microsoft and Sun are just two prominent of corporations who chose an innovative path to cut costs while executing successful security control and management with Gemalto smart cards.

Smart cards are also being used for travel and border security. Various projects are under way that use smart cards to ensure secure and efficient control procedures while enabling faster clearance at the same time. US-VISIT and the Registered Traveler program are two very efficient initiatives that showcase the potential of smart card technology – Gemalto is a partner in two of the major projects.

<back to top>

Q: Is a server required for this application?

A. The Protiva Strong Authentication solution comes with a validation server/authentication server and a choice of security devices.

<back to top>

Q: What are Phishing and Pharming?

A. Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware.

Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.

<back to top>

Q: How do Protiva solutions bring more security than traditional passwords?

A. Passwords are called single-factor or 1-factor authenticators. This is because passwords only involve "something you know". If someone were to discover your password, they would be able to gain access to anything protected with that password.

Smart card authentication devices are called dual-factor or 2-factor authenticators. To use an authentication device, you must have the smart card device itself (something you have) and must know the correct PIN (something you know). If attackers were to get access to your authentication device, it would be of no use to them unless they also knew your PIN. Similarly, if the attackers were to discover your PIN, it would be useless to them unless they also had your token.

The Protiva solutions make use of this concept as the simplest solution set for two factor authentication and can then extend as far as authentication of the server asking for the password thus getting into the realm of mutual authentication.

<back to top>

Q: What are the three most common authentication factors?

- Something you know, such as a password or a PIN

- Something you have, such as a smart card security device

- Something you are, such as your voiceprint or fingerprint

<back to top>

Q: How does an OTP solution work?

A. There are two main categories of OTP solutions: time-based or event-based.

In both cases, the smart token and the validation server are sharing a same secret.

In the case of time-based OTP, the smart token has its own internal clock. The validation server also has a clock that maintains the current time. When the server receives a password, it independently takes the current time, combines it with the secret key, and performs the same cryptographic computation as the token. If the password received from the token matches the password generated by the server itself, access is granted.

In the case of event-based OTP, the smart token and the validation server are using the same counter. When the server receives a password, it independently takes the current counter value, combines it with the secret key, and performs the same cryptographic computation as the token. If the password received from the token matches the password generated by the server itself, access is granted. The counter value increments each time an OTP is needed.

<back to top>

Q: Is the solution proposed by Gemalto Time-based or Event-Based?

A. Gemalto has implemented the OATH algorithm and can also work with the EMV algorithm. Both these algorithms are event based.

<back to top>

Q: What is OATH?

A. OATH stands for Open Authentication Initiative. OATH was announced in Feb 2004 at the RSA Conference in San Francisco. OATH aims to expand the market for strong, interoperable authentication by developing industry standards that leverage existing technologies and standards.

<back to top>

Q: What did OATH specify so far?

A. OATH defined HOTP, an algorithm for a Hashed Message Authentication Code (HMAC) One-Time Password. HOTP uses the SHA-1 hash function to create a secret key shared between a smart token and validation server that synchronizes unique passwords for sequential use.

<back to top>

Q: Do I have to pay anything to use this algorithm?

A. No, there is no fee required to use the OATH algorithm.

<back to top>

Q: Is Gemalto a member of OATH?

A. Yes, Gemalto is part of OATH, as well as other key industry leaders and more than 40 companies.

<back to top>

Q: Where can I find more information about OATH?

A. You can visit OATH's web site: www.openauthentication.org.

<back to top>

Q: What are the differences between OATH, EMV, and CAP?

A. Each is a different specification. OATH uses a different algorithm (SHA-1) to generate the OTP whereas EMV and CAP use 3DES type of algorithm to generate the OTP. CAP is the MasterCard specific implementation.

EMV/CAP will probably be used by banks that already issue EMV cards and have an EMV backend for transactions.

<back to top>

Q: Will Gemalto OTP solutions work with all Gemalto cards?

A. The OATH algorithm is developed as a Java applet today and will thus work with all cards that can support Java applets. The EMV algorithm will work on any banking card from Gemalto. (most common choices are e-galleon and Palmera).

<back to top>

Q: Will Gemalto OTP solutions work with all GSM handsets?

A. Yes, they will.

<back to top>

Q: Does Gemalto also provide the server?

A. Gemalto will not develop any AAA authentication server as this is not Gemalto's core business. But Gemalto will develop a server agent that will plug in existing AAA or IdP authentication servers.

<back to top>

Q: What are AAA and IdP servers?

A. These are different kinds of authentication/validation servers. (AAA stands for Authentication, Authorization and Accounting).

<back to top>

Q: What kind of server is required? A simple windows platform? Or Unix?

A. The Strong Authentication server developed by Gemalto works on Windows 2003 Server, Windows XP and Red Hat Linux.

<back to top>

Q: When will I use my OTP application?

A. When logging into a resource, users will be asked to enter their user ID and password. But instead of entering a static password, they will enter the password that will have been generated by the smart card and displayed either on the device display in the unconnected mode or automatically filled into the appropriate field by an application on the computer in the case of the connected mode.

<back to top>

Q: Do I need to download additional software to my computer for the applications to work?

A. If you are working with a device that can display the one-time password on its own screen, then you do not need any additional software to be downloaded. This is the unconnected mode. In the case of the connected mode, the smart card device is connected to the PC either through the USB port or a smart card reader and you do need a small application on the host computer.

<back to top>

Q: How do I obtain the application for the computer?

A. The application can be obtained via a CD, floppy or downloaded from a web-site.

<back to top>

Q: What is the Size of the OTP applet?

A. The applet is 7k, for the package and instance.

<back to top>

Q: Can an EMV banking card be used as the token, with the OTP applet loaded and accessed via the SCA 350 or 370 devices? If so, which of our cards?

A. Palmera, egalleon with EMV/CAPs implementation

<back to top>

Q: If using the OTP applet on a mobile phone SIM, will it work with any handset?

A. Any handset that has a STK (SIM tool Kit).

<back to top>

Q: Which of the Gemalto SIM/USIM products does the applet work with?

A. Simera (any card accepting a Java applet)

<back to top>

Q: What is the expected model by which the applet is loaded into the SIM: OTA? SIM replacement?

A. This is up to the mobile operator. Either one would work depending upon if they have an OTA platform or not.

<back to top>

Q: Are any third-party backend OTP servers supported? If so, which ones?

A. Generally speaking, OATH and EMV/CAP are both standards. If the back-end in question is implemented as per the specs, and the devices/smart cards and the servers have the correct seed, the system is interoperable. For example we have tested with Verisign and our applet as interoperable with their OATH Unified authentication back-end

<back to top>

Q: What is the integration interface between the authentication server and the OTP backend?

A. Authentication server = AAA server. The integration interface between the authentication server and the OTP backend is http/https

<back to top>

Q: What is involved in backend implementation?

A. Database is needed (like Oracle, MS SQL, MySQL, or LDAP etc), hardware HSM if desired, Application Server (like Tomcat, Websphere, Weblogic, etc), Java run-time.

<back to top>

Q: What are the features of the OTP backend server?

A. In terms of logging, auditing, account management, external APIs, etc.

The Server has a Customer Care Admin Portal to manage all the information/data needed for the operation of the server (user, device, policy, keys, role management, transactions (logs, audit)). No external APIs are planned for the time being. We plan to provide Web Services API as part of a future release.

<back to top>

Q: How many maximum total users can the backend support?

A. No limitation from the authentication server software side.

<back to top>

Q: What is the maximum simultaneous user authentication rate that the backend can support?

A. This depends on the hardware and software (like the web server, DB, etc) used and the configuration for the same. The hardware limitation can come from the HSM hardware or the server hardware itself (like RAM, hard drive, CPU speed, etc). We plan to have some performance testing/benchmarking done on a reference platform at the time of release.

<back to top>

Q: How is the backend scaled up in terms of the above two considerations?

A. As mentioned above, we do not really control the infrastructure configuration. Performance can be improved by using faster hardware and application server like Web Sphere and Web Logic instead of tomcat.

<back to top>

Q: How is redundancy/failover handled in the backend? What is the expected availability of the backend?

A. Redundancy and failover are not taken care of by the Gemalto authentication server module. We expect that this is done by or above the Web/Application server.

orangebar