Technology Advantages
TrustAlert technology is based on OpenSSL, giving you the certainty that your Certificate Authority technology is robust and has been verified by well-known experts.
Our solution automates the roll-out of client certificates based on your existing network identity store and preferred user authentication method. Using your own identity store results in no changes in your current user management. Automation of certificate roll-out directly implies that you will not be spending any time on certificate creation, installation or replacement.
All of TrustAlert’s solutions are based on proven standard technology & RFC’s and are thoroughly tested by security experts active in the field of hardening operating systems and ethical hacking.
Thanks to our unique on-demand short-life X.509v3 compliant client side certificates you can finally know for sure that any used client certificate is valid and contains the most up to date information of your user. You will save a lot of time by not having to worry about certificate revocation.
Centralized key escrow (recovery) becomes finally a possibility thanks to the fact that the key material is generated on the appliance, instead of on your user device.
Allowing you to actually bind your users to a single trusted company managed device or a pool of trusted company managed devices significantly reduces your network security risks.
You are free to choose whether to make use of an existing CA tree, or create a dedicated one. Whichever choice you make, the user experience will remain highly positive.
A Brief Summary
At its core the TrustAlert Controlled Access solution "RESEPT" main functions are; To on-demand create, send to and automatically install for any requesting valid user, a time limited X.509v3 client certificate.
Standard available functionality of your network hardware make available the option to only allow access for users who have a valid client certificate issued only by your own and/or your partner’s certificate authority.
Already servers make use of SSL certificates. Standard dormant available functionality will allow for a highly secure two-sided SSL encrypted tunnel between your corporate network and your user.
RESEPT Functionality
TrustAlert’s RESEPT solution consists of two parts: The user client & The appliance
User Client
By default the user client can be branded to fit any look&feel you wish.
The RESEPT user client is OS dependent and is currently available as either installer or API for several platforms, among which: Windows XP (32/64), Windows Vista (32/64), MacOSX, J2ME capable mobile phones, Google Android etc.
Should your user need a client certificate to securely access any of your online resources, than all that the user needs to do is start the RESEPT client. Either a manual start is used, or by going to a predefined URL (ie your company portal etc) which will trigger the user client automatically when no valid client certificate is available.
Once the user client has been started, all that the user needs to do is to enter his authentication details (ie usr/pwd, token details).
The user client makes use of a TrustAlert patent pending secure connection solution, thereby safeguarding the sent authentication credentials from the moment the data leaves the device. Authentication credentials sent by the user client also include a unique device signature, as well as the results of the predefined URL reversed DNS-lookup.
When the RESEPT appliance has verified all the sent credentials, then the just created client certificate is sent over the same secure connection to the user client. The user client installs the certificate in all appropriate certificate stores. Lastly the user client will terminate.
Since the user client contains no secret information, your company does not run any risks, should the user client somehow become public.
Appliance
The RESEPT appliance has been designed to deliver on-demand created certificates for millions of users at a rate which comfortably can cope with the speed of the back-end identity store.
Although 1 appliance may suffice functional wise, it can easily be made redundant by adding more appliances. Since appliance functionality is split over several daemons, the solution can be easily scaled as well by having 1 appliance perform only 1 Daemon function.
When using a remote syslog-server, then no file system changes will occur on the appliance once configured. As a result there is no need of frequent backups of the appliance data.
The appliance will send a X.509v3 certificate when the following criteria are met: • Authentication credentials are correct • Hardware signature is correct (this verify is optional) • The locally resolved IP by the appliance of the predefined URL matches with the one resolved by the user client
A unique private key and corresponding public key are on-the-fly generated and sent securely to the user client. Once sent, the unique private key is either immediately discarded from the appliance, or kept for key roll-over, or key escrow purposes in a secure environment.
By default 1024 bit RSA keys are configured for the client certificates, and 2048 bit RSA keys are configured by default for the CAs.
The identity store returns parameters (such as Organizational Unit, Time to live, etc). When left out the default setting of the appliance will be used for the client side certificate creation.
