Avatar

Behind the WebConnect Curtain

WHAT HAPPENS WHEN WE RE-SYNCH A TOKEN

Webconnect; What is the Key?

Avatar

WebConnect uses a Public/Private secure key system. Some of the information required to login is Public (Sent out over the unencrypted public Internet) and is easy to loose control of (easily stolen, guessed, intercepted, etc), and some is Private (hard to guess, or duplicate, or steal, sent partialy or totally encrypted).

Public Key
The Webconnect User Name and Password are Public Keys. They are easily;
o o

Avatar

Stolen Copied Guessed

o
o

Intercepted

They are static; they dont change often- If they were intercepted 2 weeks ago, there is a very good chance that they have not been changed.

What makes them Public Keys is that they are sent unencrypted over the Internet.

Private Key

Avatar

The Private key is the number generated by the WebConnect token. Is is a secret that only the Token and the WebConnect Server know. It is self encrypted, that is even though it is sent over the public internet, it starts out encrypted. It changes every few minutes. It is impossible to guess. It displays a numeric series different than any other security token.
It is a Private Key because it is sent Encrypted over the internet

Public and Private

Avatar

Both Public and Private keys are required to log onto WebConnect. This confirms the identity of the user and allows a secure Virtual Private Network (VPN) to be established and opens a port to the Avatar system.

When the token is out of synch...

Avatar

The number displayed on the token is generated by a complex algorithm which resides on both the WebConnect Server and the Token. At a pre-assigned time (the token is like a watch) the next number in the series is displayed. Since the number is Known by both token and server, it gets out of synch when the token clock differs from the time on the server.

What causes being out of synch?

Avatar

Since the token is a watch, small errors in time calculation is possible. A dead or dying battery could cause the time to be inaccurate. If the battery is weak, hitting the display key over and over again could pull enough power to cause the time to be off.

Re-synching a Token

Avatar

When we re-synch, we are adjusting the timing of the token. Since the series of numbers is calculated on both the Server and Token, re-synching tells the token when a certain number series will appear.

What we dont see on the token...

Avatar

The number we see on the display is a portion of the result of a complex algorithm. This can be a huge number. The 10 digits we see on the token display is only a small part of that number. The certificate algorithm SHA1RSA for example allows for a result that is over 18 Quintillion digits long [Million, Billion, Trillion, Quadrillion, Quintillion]. So in reality without the formula is it almost unthinkable to identify the series by using numbers displayed on the token to calculate a pattern. In theory one would have to take several 10s of thousands of numbers from the sequence to begin to construct the algorithm to calculate the next number. As for guessing, it is statistically easier to select the wining lottery numbers than it is to guess the next number in the sequence. (1 in 10,000,000,000; 10 Billion).

18 Quintillion- 42,352,941,176,470,590 more pages like this (42 Quadrillion) 425

Avatar

000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

Avatar

is Successful! Re-synch at the Server...

The Server generates: Time: Token Display: Token Time:

...96980230988986 ...39022346885386 ...89564687998456

09:21 09:22 09:23 09:21 09:22 09:24 09:25 09:23 09:24 09:26

...54446576643290
...65892887839398

29823587869045

4687998456 4687998456 4687998456 6576643290 2887839398 3587869045

09:21 09:21 09:21 09:22 09:23 09:24

Then the Server Time is updated to series match the the Token Time. The Token then continues to Times thethe next number in the Series at the correct Re-synch starts by matching up number on the Token Display to the remainder of the Server are updated. time Server generated one.

Setting up the Token

Avatar

A WebConnect Analyst creates an entry on the WebConnect Server for each token issued.
The entry has the token serial number and the User Name and initial password for each WebConnect user. An Algorithm is created at this time. It can be created using some part of the Users identifying information in order to make the algorithmic series unique from all others . Once the algorithm has been created, both Server and Token are synched, so that they display the same series of numbers at the same time and the token is sent out to the client.

WebConnect closing:

Avatar

WebConnect is a way to ensure that the identity of the person logging into Avatar remotely has been verified.
The VPN tunnel created by WebConnect exists only as long as the client is logged into WebConnect. Disconnecting from WebConnect will close the tunnel and any application open utilizing the port will also close. The Webconnect server will not allow multiple open sessions for the same user. So, if another client attempts to log into WebConnect using someone else's User Name, Password and Token any other open WebConnect will close before the new sessions is allowed to open. Although it is tempting, clients should never be advised to use someone elses WebConnect to access Avatar remotely.

The alternative is that clients should be advised to complete the WebConnect self-service website to protect themselves against misplaced or malfunctioning tokens.

Avatar

Thank You! Behind the WebConnect Curtain

WHAT HAPPENS WHEN WE RE-SYNCH A TOKEN