Multifactor Authentication for Mission Critical System using Synchronous Offline Token
Equnix has been researching and developing embedded encryption for PostgreSQL since couple years ago, we accumulate the result into a feature called ESE (Equnix Seamless Encryption) in our flagship product: 11DB/Postgres. To support ESE implementation, we should enabled a couple of technology beside data encryption, in this writing we discuss on MFA implementation which incorporated into 11DB/Postgres.
This MFA plays crucial role in some points:
a. Implemented as part of custom libpam of the operating system
b. Being used to enabling 2FA for sudo (and of course we disable root login)
c. As a base of sessionId authorization for 11DB/Postgres for every incoming connection.
Developing an OTP looks simple, as long as both party can access to the internet, it can be done easily. We can even use any OTP provided by 3rd party such as Google Authenticator. But, if there is specific need not to connect to the Internet, complexity arise. At that point, we should have a better mechanism to have trusted authentication model to authorized access to a resources (host, database, storage, etc). Equnix invent a mechanism to have offline Authentication model, ensure both party (host or computing resource AND authenticator party) synchronized, trusted and secure. Let’s compare all OTP authentication model, look at this three types of authentication below:
In 1st diagram, we see normal OTP authentication model which being used by so many system in production right now. This is secure enough, very simple and doesn’t require much protection effort since using Internet to synchronized between parties.
On 2nd diagram, we can see that system resource has been injected by an OS customized library called: equnix-pam, which behave as part of PAM (Pluggable Authentication Module) in the Linux OS. This libpam has role as auth user which should be communicate with auth server, using a special mechanism to return the same key with the server (synchronized) every time it needed. This communication is not merely exchanging the bit of information. By using our own mechanism, we enable synchronization between them.
Last, offline OTP is quite common implemented by creating a special device and using a generation
Deeping down the discussion about Synchronous Offline OTP, we wil discuss regarding definition of each party as follow: 1/ Resource or Computing Resource, is a machine/server/desktop/host any computing device which has OS; 2/ Caraka, is a mobile application which is used to support communication between end user to the Authentication Server (Equnix Auth); 3/ The Authentication Server to validate the auth key, and; 4/ HSM, as Hardware Security Module the ultimate protection for key management. HSM can be implemented for this necessity, but it is not obligation to use HSM, in order to have a sophisticated MFA for any system.
To use this feature, one should download the equnix-pam from the website and install it on every server / computing resources, don’t forget to label any resources, because single package download (.deb or .rpm) contains only single registration Id, but it can be used to secure multiple resource or multiple hosts or servers.
After installation the libpam, we should have a mobile application called: Caraka, as UI tool for Equnix Authenticator. Caraka will be used to send challenge token, and get respond token.
This module has been implemented as part of the 11DB/Postgres delivery to increase access security and preventing data leaks. Please put in the comment below if you have any question, we are open to any company to take a look, in depth discussion, trial and by the end, purchase and adopt this authentication system for their businesses.
This authentication module, called SyncOTP (Synchronous Offline OTP), is part of the bigger solution package which is called as: Equnix Authenticator, and you may download the mobile apps: Caraka, from Google Playstore.
More over, you may check out the implementation in the video below which uses SyncOTP as part of the 11DB/Postgres authentication: https://youtu.be/JC4uZVLVcBU?t=5430
Have fun!
