The listings featured on this site are from companies from which this site receives compensation. This influences: Appearance, order, and manner in which these listings are presented.
Our videos have over 5 million views on Youtube! Visit our channel now »
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers. These take into consideration the reviewers’ independent and professional examination of the products/services.

Ownership

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Reviews Guidelines

The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

Authenticating Remote User Identity With CASQUE SNR

Ditsa Keren Updated on 1st July 2023 Technology Researcher

A long time ago, Basil Philipsz has founded Distributed Management Systems (DMS), which started originally as a software house doing small jobbing contracts. One of those projects was a physical access control system in which they were successful at protecting the Port of Dover by setting up a system of magnetic stripe cards for internal Users, such as the Police and Customs authority, to access the port. That triggered his interest in access security, so he embarked on a set of inventions, 4 of which particularly underpin the CASQUE SNR technology. In this interview Basil Philipsz reveals the ins and outs of this operation.

 What makes CASQUE SNR unique?

The whole point of our approach was to answer the question: how do you confirm the identity of a remote user coming to a data network?

There are many possible solutions to this problem: passwords, biometrics, PKI certificates, one time passwords, SecureID Tokens, etc.

The problem with these techniques is that they rely on fixed secrets: a private key in a PKI Infrastructure, a biometric template, attestation key in FIDO U2F device, etc.

If this fixed secret is discovered by hacking techniques, or if an insider discloses that fixed secret, then the system is busted. Our approach says you should keep changing the fixed secret. We use a secure chip in a variety of different manifestations to store a set of keys, it is called a CASQUE SNR Token which is an active device that resists cloning.

The benefit is that even if an attacker makes a clone of the secure chip, when the key is updated, either the clone gets the update and the “real” Token becomes useless and login is suspended, or the real Token gets the update, in which case the clone doesn't work.

We have refined this further by ensuring that even if the insider is a privileged user that can access the authentication server and give a copy to his collaborator, the collaborator would not be able to predict the keys. So as well as preventing clones, we have eliminated a major type of attack by a privileged insider.

Our main motivation is the belief that in any large organization has the possibility of a frustrated insider. If we remove that level of threat, then we de-risk the vulnerability of the entire organization.

One of the 4 inventions has granted US and EU patents. Moreover, the latest version has been certified by the UK's National Cyber Security Center as being suitable for use at the secret level.

As you might expect, our major customer is the UK Ministry of Defense, but currently we are offering our system to a more commercial audience.

How does CASQUE SNR work?

The architecture is based on a Challenge-Response Protocol. Users possess a secure chip that computes the required response to a given Challenge. Tokens can have a variety of forms most useful being a contactless Smartcard. The recent iPhone iOS13 operating system joins Android is supporting full NFC wireless working enabling CASQUE to work with all mobiles. Also by presenting the Challenge as a QR coded image it allows your mobile to act as a surrogate reader for any desktop or laptop client. Tokens have their initial set of Keys populated on the Customer’s premises by the Customer so the Manufacturer or System Implementer can never be part of the risk.

The Challenge is generated by the CASQUE SNR Authentication Server. We have variants for Windows or LINUX which can be set on a VM in a Cloud infrastructure and act as an independent Identity Provider. The Challenge only gets decrypted inside the Token and the response also verifies key change success. It is impossible to playback successfully previous Challenges.

Whenever changes are made, the CASQUE SNR Authentication Server Database is replicated in real-time and it updates a secure Backup Server located remotely. This allows for immediate recovery in the event of any disaster.

The administration of the CASQUE SNR Authentication Server is provisioned so that different “Grades” of administrators can appropriately update the allocation, suspension and privileges of Users remotely through a web interface after being authenticated by CASQUE SNR.

So, for example, a “Help Desk” Administrator can suspend a reported lost Token whereas a “Supervisor” level Administrator is needed to unsuspend.

There is a capability of the CASQUE SNR Server, through an API, to send short messages to the Token to be revealed to the User. This could be used to distribute part of an encryption key to decrypt previously sent files so obviating the risk of interception and thereby establishing a separate, inviolate private channel. One example of using this feature could be a receipt summarising a transaction just completed.

Can you describe a Case Study?

We have integrated CASQUE SNR with Pulse Connect Secure which provides gateways that enable VPNs. The Pulse Connect Secure refers a User’s access request to the CASQUE SNR Authentication Server and its Challenge-Response interrogation determines whether access is granted or rejected.

Another example is when a Customer wants to use their own web server. We provide a programming interface so the webserver can talk directly to CASQUE SNR Server.

We have also integrated CASQUE SNR with the Zimbra Collaboration Suite.

Alternatively, you might be using Amazon Web Services, but instead of the normal login you can use CASQUE SNR for a more secure, non-repudiated authentication.

About the Author

Ditsa Keren is a cybersecurity expert with a keen interest in technology and digital privacy.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback