The WiKID Strong Authentication Server uses mainly JAVA-based server components and application components. The underlying database is PostgreSQL.
Components. The WiKID Strong Authentication Server contains a database of domains, devices, users and Protocol Modules. Additionally, the WiKID Strong Authentication Server also offers a web-based administrative utility for the management of these components.
- Domains. Each WiKID Strong Authentication Server can host multiple security domains. The security domain is intended to segregate users with respect to access and services. For example, Intranet access may be provided with one domain, partner Extranet access with another and public Internet (Website) access with a third. Separate security policies can be provided for each domain and access can be granted on a device/individual user basis. Unlike other two-factor systems, the client for each domain (the WiKID Client) is the same (see WiKID Clients). Upon creation, each domain generates a key pair for payload encryption within the passcode request/passcode reception process. These keys are the domain private key and the domain public key and are exchanged in the registration process.
- Devices. The cryptographic signature for each WiKID Client is stored within the WiKID Server and associated with a domain and user. The cryptographic signature is a 1024 bit-equivalent client public key as generated in the registration process (see Registration Process later in this document). This strong, asymmetric encryption key is generated on the device and serves to identify a valid device within the security domain and to provide payload security during the reception of passcodes. The device also receives, stores and utilizes the public key of the WiKID Strong Authentication Server server which is provided by the server during the registration process.
- Users. The WiKID Strong Authentication Server stores named users and associates each user with a device and a security domain. This process allows for login within a network service, whether it is via a RADIUS-based VPN, secure website or any other service that is provided by a Network Client (See Network Clients below).
- Protocol Modules. For the WiKID Strong Authentication Server to communicate with a Network Client, the server must have the appropriate Protocol Module installed and configured. Currently, the server supports the following Protocol Modules:
- WiKID Authentication Protocol or WAUTH
- Remote Authentication Dial In User Service or RADIUS. (The commercial WiKID Strong Authentication Server uses a proprietary radius server, which had to be removed.)
- LDAP version 3
- TACACS+ (From Cisco Systems)
- WAUTH. WAUTH is an encrypted protocol for the verification of passcodes from certain Network Clients. WAUTH is more secure than RADIUS due to client certificate authenticated SSL transport, but it requires use of a WiKID Application Component to be implemented within a Network Client. Typically, the component is a JAVA bean or COM component that can be integrated into a website, a web application, a client-server application or as a forwarding service within an LDAP service.
- RADIUS. RADIUS is a standard TCP/IP-based service for authorization and access control. The RADIUS protocol is detailed within Internet Engineering Taskforce RFC 2865 with additional information provided by RFC’s 2866 to 2869. The RADIUS protocol is, as noted, less secure than WAUTH since it utilizes a MAC encoding of the packets within the protocol exchange. WiKID recommends that RADIUS/TACACS+ be used only on trusted networks, e.g., corporate Intranets, or to support standard VPN and dial-in clients. RADIUS is supported by Microsoft’s RAS, Cisco’s routing and firewall software as well as by most of the terminal and PPP device makers. The WiKID Strong Authentication Server fully supports RADIUS authentication and less fully RADIUS accounting and proxy features.
- LDAP. WiKID support the use of authenticated LDAP bind commands to validate passcodes. This is provided via OpenLDAP integration with the WiKID WAUTH client.
- TACACS+. TACACS+ is an older protocol provided by Cisco systems. It has generally been superseded by RADIUS and is provided for backward compatibility with existing customer environments. v.Administration. WiKID provides a fully web-enabled administration system to create, modify, enable and disable each of the components noted in this document (see Administration Details in this document for more details).