Overview

The MatchLogon security platform encompasses several key concepts and features that are critical to any security software package:

• Authentication - Verification of users' claimed identities by using one or more of the following: secrets (what you know), tokens (what you have) and biometrics (what you are and what you do).
• Authorization - Determination that a user is authorized to carry out a particular action, such as logging on to a VPN, running an application, accessing a database, etc.
• Audit - Detailed logging of authentication and authorization actions, with the ability to review and analyze logs to uncover suspicious activities, failures, etc.
• Administration - System administrators can enroll users and define policies that control authentication and authorization for particular users, user groups, or applications.

In addition to these four key components, MatchLogon is designed to enhance both overall system security and convenience by focusing on:

• Integrity - Authentication data (such as user authenticators), device/terminal/workstation communication, as well as policy and system settings are secured and protected from tampering and forgery by other applications, hackers, etc.
• Confidentiality - Secret application data as well as authentication and authorization information is encrypted to protect it from access by unauthorized users, hackers, etc.
• Non-Repudiation - Logging of security events that are supported by biometric authentication prevents users from claiming that an action occurred without their knowledge and acceptance.

MatchLogon is designed to address both overall system security and user acceptance with the following goals in mind:

• Convenience - Security functionality should be easy to use, so that users will not attempt to bypass it.
• Flexibility - Different applications call for different security measures, therefore security layers must be flexible in order to provide the right level of protection to the problem being addressed.
• Centralization - Administrators must be able to manage the entire system in a consolidated and integrated manner, from a central or multiple locations.

Authenticator

Throughout the MatchLogon system, we use the term "Authenticator" to mean the authentication data contained in or captured by the biometric or non-biometric devices (such as fingerprint, facial image, USB token, RFID card, etc).

High-Level Architecture

MatchLogon provides a flexible architecture that results in a common software platform thereby enabling scalability, making it easy to add features and support new technologies in the future. In addition to authentication on a PC or network, MatchLogon provides a universal software interface and SDK that can be used to build scalable and centralized single sign-on (SSO) solutions to third-party applications, such as SSO to SAPR R/3R, OracleR, LotusR NotesR, Intranet portals, etc.

Biometric Standards Compliance

MatchLogon was designed from the ground up to support the BioAPI open standard which makes it possible to easily plug in new authentication hardware at any time without re-installing or re-starting the MatchLogon software. Both biometric and non-biometric technologies are supported by MatchLogon through the use of BioAPI and Biometric Service Provider (BSP) modules. A BSP module is vendor-supplied software that provides enrollment and verification services for a particular hardware device.

BSP modules are completely interchangeable or "pluggable" into the MatchLogon system. Multiple BSP modules can be installed on a server and workstation to reflect the needs of each organization. Such flexibility allows an organization to tailor its use of authentication hardware to best match its workstation environment.

Active Directory Integration and Support

MatchLogon fully supports and utilizes Microsoft Windows Active Directory (AD). AD technology was introduced with Windows 2000 to replace the traditional Windows NT SAM database. The following is a partial list of major AD advantages and their relevance for MatchLogon:

• Multi-master domain model
• Load balancing
• Support for complex (n-tier) domain configurations and "sites"
• Automatic data replication of both operating system and third-party data
• Robust fail-over capability
• Extensible schema
• Tightly integrated with the Domain Name System (DNS)
• Global Catalog

Customers gain considerable robustness through AD, and can substantially lower their Total Cost of Ownership (TCO) for MatchLogon enabled AD domains. MatchLogon integrates with many of the fail-over and data replication services that the operating system provides. AD's multi-master domain model allows the domain to function normally in the case where a Domain Controller (DC) becomes unavailable. As long as the domain consists of more than one DC, there is no single designated DC to process information updates. In case of a DC failure, and assuming the worst case scenario, only the last data that was received but not replicated across the domain/forest is lost. As long as the DC becomes available again, the updated data may not even be lost but may just be unavailable until the DC goes live once again. AD's use of DNS and its Global Catalog sub-system greatly supports service discovery and reduces network bandwidth usage. The information maintained by the operating system is made available in a standardized and straightforward form.

MatchLogon fully leverages these mechanisms to provide data replication, a robust and fast server discovery to its clients on the network.

MatchLogon AD Data

To support and make full use of AD, MatchLogon extends the AD schema by extending existing Computer and User classes with new attributes. These attributes contain fingerprint, password, settings and other support information. MatchLogon AD data is opaque to AD and other AD enabled applications. The data is digitally signed and encrypted using cryptographic algorithms specified by the customer when they are installing the MatchLogon Server software and specifying the unique Enterprise Key of the organization.

Extension of the AD Schema is optional. MatchLogon could instead use existing attributes such as Photo, Audio, etc., which as a rule are not used in the domain of the organization. Using existing attributes is ideal for evaluations and pilots.

Encryption Algorithms

MatchLogon supports the open Microsoft CryptoAPI interface, which in turn provides a secure interface for the cryptographic functionality that is supplied by the installable Cryptographic Service Provider (CSP) modules. MatchLogon allows the customer to choose required cryptographic algorithms and key lengths for all cryptographic operations (keys exchange, digital signature, data encryption and hashing).

MatchLogon uses the Microsoft Enhanced Cryptographic Service Provider by default, thus providing stronger security by supporting longer key lengths and additional cryptographic algorithms such as RSA, SHA1, RC4.