Apr 09, 2009

Toppan Printing and N-CRYPT launch sales of Dynamic OATH Premier, a real-time continuous authentication system with extremely high security

Toppan Printing Co., Ltd. N-CRYPT, Inc.

Toppan Printing Co., Ltd. (hereafter Toppan Printing; Head office: Chiyoda Ward, Tokyo; President & CEO: Naoki Adachi) and N-CRYPT, Inc. (hereafter N-CRYPT; Head office: Yokkaichi, Mie Prefecture; President & CEO: Takatoshi Nakamura) have jointly developed Dynamic OATH Premier, a real-time continuous authentication system with extremely high security. Sales will be launched from April 10, 2009, targeting internet-based financial services that require high levels of safety such as net banking and online securities trading.
With this system, Dynamic OATH, the world’s first real-time continuous authentication system, developed by N-CRYPT has been improved for financial services. Using N-CRYPT’s authentication technology and the know-how that Toppan Printing has developed in security business aimed at financial institutions, a solution can be provided which offers high security and the reduction of introduction workload and cost.

Background
In recent years, cases of damage caused by unauthorized use in net banking and shopping have increased overseas, and there is concern that they will also increase in Japan.

An MITM attack (*1) is a method for unauthorized access that is receiving attention. Specifically, a third person enters into a transmission between a client that has finished the authentication process and a server. During authentication, the authentication process is usually completed and after that the information being transmitted is illegally obtained and diverted. This method of attack aims for a weakness that almost all authentication methods have, i.e. that "authentication of the person is only performed at the time of communication connection and time of processing". With previous internet-based authentication systems, user authentication was only performed when ID and password are sent to the authentication server at the start of communication or when a specific process is being performed. Communication then takes place with the basic assumption that the user accessing the server is correct. For this reason, it is not possible to completely eliminate MITM attacks with previous authentication methods and demand has risen for an authentication system that can protect systems from this kind of attack.

In order to construct a safe system for financial institutions that can eliminate MITM attacks, "Dynamic OATH Premier" has been developed using the technology of "Dynamic OATH", the world’s first real-time continuous authentication system, which was developed by N-CRYPT. With Dynamic OATH Premier, a one time password (*2) system compliant with the OATH (*3) international standard has been used to establish an encrypted communication line between client and authentication server that cannot be infiltrated by a third person. By maintaining confidentiality of communication whilst constantly monitoring the connection, infiltration into the communication by a hacker is prevented and safe communication can be performed over the internet.


*1
An MITM (Man-In-The-Middle) attack is where a third party enters a communication between two parties and reads or discloses the details of the communication without the two parties noticing by switching the information exchanged between sender and receiver to make it their own.
*2
A one time password (OTP) is a code number or password whereby the string of characters changes with each use. Since the same password cannot be used twice, it is also called a "disposable password".
An OTP consists of an "OTP generating terminal" that creates a disposable password and an "authentication server" that performs authentication. As the password changes according to a certain rule that is only known to the authentication server and the user, the authentication server is able to confirm whether the user has input the correct password or not. Security is tight since even if the password is stolen by a third party, the system cannot be accessed with the same password for a second time.
*3
OATH (Initiative for Open AuTHentication) is an international organization that is engaged in the research and development of various authentication technologies including one time passwords. As a member company of OATH, N-CRYPT undertakes the development of one time password products meeting this standard.


The special features of Dynamic OATH
By developing previous one time password authentication and using a one time password generated separately from the one time password used for authentication, important communication data is encrypted. Since a one time password is used and communicated data is encrypted, it is possible to eliminate damage such as modification of data during transmission and the leaking of passwords.

Communication image

Copyright 2009 TOPPAN PRINTING CO., LTD.

1. When the connection is started, the client and server are verified with the OATH compliant one time password authentication. (OTP 1 in the diagram)
* At this point, a mobile phone can be used as the password terminal on the client side.
2. Using a one time password separate from the one used for authentication (OTP 2 in the diagram), an encrypted communication line using N-CRYPT’s technique is established, making infiltration by a third person between client and continuous authentication server impossible. This encrypted communication line is established on existing lines, and a separate line is not necessary. Reading by a third person is not allowed due to N-CRYPT’s original "Vaporization Key®(*4)" technology.
3. While communication is taking place between the client and server, using the encrypted communication line, mutual authentication continues with an optimal cycle matched to applications. ---Realtime continuous authentication If a third party does infiltrate the communication, the continuous authentication server will detect this and immediately cut off the communication between client and server. ---Prevention of information modification by MITM attack

*4
"Vaporization key®" is an original encryption key system developed by N-CRYPT. Its special feature is that new encryption keys are continually generated and used for authentication and encryption, and after use the encryption key is erased and reading by a third party is impossible. It has already been adopted by the Ministry of Internal Affairs and Communications, financial institutions and companies and is receiving high praise as an encryption key technology with robust security.

Reference price
License cost: Approximately 100 million yen per year for 1 million users.
*Separate initial costs and hardware costs are necessary.

Sales target for FY2009
500 million yen (Introduced at 3 companies, 5 million users)
*Including this service and related services

Future developments
Toppan Printing and N-CRYPT will expand sales of this system for Toppan Printing’s existing customers in the financial industry and cooperate to develop new customers. In anticipation of client companies’ needs, a solution will be provided whereby Dynamic OATH Premier is included in a built-in board with a standard PC interface.