Frequently Asked Questions for Security Officers
How does P-Synch® improve security?
P-Synch improves the security of authentication processes:
- A global password policy ensures that no passwords are easily guessed, and all passwords are regularly changed.
- Password synchronization helps users to remember their passwords, rather than writing them down.
- Strong authentication ensures that users are properly authenticated prior to a self-service or assisted password reset.
- Delegation allows help desk analysts to reset passwords for users without having administrator credentials on managed systems.
- Extensive audit logs create accountability for password resets.
- Encryption ensures that no sensitive data are stored or transmitted in plaintext.
How does P-Synch authenticate users?
(1)Users authenticate as follows:- On a web GUI:
- By typing their current password to a trusted system (for example Windows / Active Directory, OS/390, RADIUS, etc.).
- By answering a set of system-selected personal questions, whose answers may either be stored inside the P-Synch server or may be validated on an existing system (Oracle, LDAP, mainframe and so on).
- Using a security token (e.g., SecurID pass-code or other device).
- Using a PKI certificate or smart card.
- Using a telephone:
- By keying in one or more personal identification numbers (e.g., employee number, date of hire, driver's license number).
- By matching a voice print sample taken at time of authentication against a previously recorded sample on file (biometric voice print verification)
Moreover, if the user decides to call the help desk, then P-Synch can be configured to have the support staff authenticate the user via the user's Q-A (Question-and-Answer) profile before the user is helped.
Administrators (IT staff) authenticate to the web GUI as follows:
- By typing a current network OS or directory password.
- By typing a password and validating it against a password hash stored inside P-Synch itself.
- Using a security token (e.g., SecurID pass-code or similar).
- Using a PKI certificate or smart card.
Multiple authentication factors may be configured as required.
How does P-Synch get challenge/response data for non-password authentication?
Users can authenticate to P-Synch via challenge/response, where the data is stored in the P-Synch identity cache or on an existing system (e.g., Oracle, LDAP, mainframe, etc.)If the data is stored in P-Synch, then it is normally encrypted using 128-bit AES and a server-designated 128-bit key. P-Synch will use its own methods to retrieve the challenge/response data.
If the data is stored on an existing system, then P-Synch runs a plug-in program to retrieve and validate the data when it is required. Out of the box, P-Synch comes with a plug-in that is capable of retrieving questions and answers from an LDAP directory or AD and another that works with SQL Server.
Can one user "claim" another user's login ID?
To claim another ID in P-Synch, the user must supply the ID he/she wants to claim and the password for that ID. Consequently, one user can only claim another user's ID into his own profile if he already knows the password for that ID -- i.e., this reflects a security compromise that has already happened.The process to register or "claim" user IDs in P-Synch is as follows:
- P-Synch web server: prompts user to type his network login ID.
- User: types his network login ID.
- P-Synch web server: prompts user to type his current NOS password.
- User: types current password.
- P-Synch web server: validates the password against the
indicated system.
repeat if authentication failed, lockout if too often.
- P-Synch web server: display a profile of already-attached
login IDs / accounts. Prompts for an additional ID/password.
- User: types his login ID and current password for a system
that does not yet appear on the list.
Note: the user does not explicitly specify which system the login ID is for.
- P-Synch server: finds instances of this ID on the
network, from the previous night's list. Eliminates already-assigned
IDs. Tries to connect to each remaining system with the ID/password
entered by the user. For systems where the login worked, adds the
ID to the user's profile. Discards the password.
- P-Synch web server: notifies user of success / failure.
repeat as necessary.
Does P-Synch transmit all sensitive data encrypted?
Data transmitted to and from P-Synch on the network is cryptographically protected, as follows:
| To/From | Algorithm | Key length |
| Interactive sessions | ||
| User browser | SSL (varies) | 128 bits. |
| Trigger password synchronization | ||
| From Win2K/2K3 AD DC | 128-bit AES | 128-bit shared secret. |
| From OS/390 | ||
| From Unix | ||
| From LDAP server | ||
| From WinNT DC | ||
| Set passwords, Create/update users | ||
| To Unix agent | 128-bit AES | 128-bit shared secret. |
| To OS/390 task | ||
| To RSA Authentication Manager | ||
| To proxy server | ||
| API (application programming interface) Session - socket | ||
| From calling system / IVR (interactive voice response) | 128-bit AES | 128-bit shared secret. |
| API (application programming interface) Session - web services | ||
| From calling system / IVR (interactive voice response) | HTTPS | 128 bits. |
| Set passwords, Create/update users | ||
| To target system | native | Varies. Use proxy server when native protocol is inadequate. |
Does P-Synch store all sensitive data encrypted?
Encryption is used to protect stored P-Synch data as follows:
| Data | Algorithm | Key |
| Admin credentials, used to log into target systems | 128-bit AES | 128-bit random |
| User authentication Q-A (Question-and-Answer) profile answers | 128-bit AES | 128-bit random |
| User old password history | SHA-1 | 64-bit random salt |