Aladdin's Genie and Me !!

Nope, this blog ain’t about the dream I had last night, nor about the Genie that granted me some wishes. Yes in contrary to my very first blog, where I mentioned that I wouldn’t be using this blog as my personal dairy, but I had to since I was running out of articles.

December 13-15, Venue: Kalkaji, New Delhi

It all began when I received a mail from my boss, who nominated me for a 3-day training, I was amazed to hear by boss say, you would be trained on Aladdin, and my colleagues were ridiculing me that I would be taught how to rub the lamp for 3 whole days.

A quick Google search took me to Aladdin’s Homepage, a few clicks here and there and I soon realized Aladdin was yet another security based company based in Israel, just like Radware, RSA Security & Checkpoint, I always wondered what security has got to do with a country like Israel, the Genie from Aladdin had an answer to my question, which I will touch upon in the later part of this blog.

Well for people who have not heard about Radware, RSA Security , Checkpoint, and Aladdin, let me tell you that these are Top Network Security Companies that manufacture and deploy products like Firewalls, Intrusion Prevention Systems, Load Balancers, One Time password and PKI Solutions. Well if the last 2 lines didn’t make sense, let me tell you that all those devices are part of the Networking Industry which secures your organizations environment and prevent unauthorized intruders (Hackers) from intruding your privacy and the organization’s critical information.

Well the training was about Aladdin’s E-token system, a smartcard/USB token which acts as a substitute for all your Email passwords, Digital Certificates. Although the concept of the carrying gadgets along is fast picking up in a country like India, however the user acceptance of such systems still might a major issue, the solution may not be feasible in most cases except for in environments where access to high end systems like Mainframes needs to be secured.

The e-Token system is supposed to be a centralized storage for all your personal passwords, corporate email, Banking passwords, Single Sign-on passwords, Digital Certificates, well what does that mean to the end user, hmm you are no longer required to have complex passwords containing upper case, lower case, numerical values, special characters, for different applications, considering an IT professional user has to remember about a dozen different passwords for his emails , yahoo chat, orkut, banking, desktop passwords, corporate emails, domain logins ……. All these stored on your USB token and protected by a single PIN/passphrase, well a 2-factor solution always scores more cookie points on any given day, however on the flip side, the day you forget your token, you will end doing nothing but sipping coffee the whole day. Yes very similar to the way you sometimes go bankrupt and your ATM card is lying in your desk back home, well the concept of borrowing passwords doesn’t exist in the security world.

With organizations being forced to comply themselves to the standards like ISO:15000, BS7799, HIPPA, BASEL II & Sarbanes Oxley which make it mandatory for the employees to follow certain norms that minimize the risk of critical information being stolen, the day is not far away when you would be forced to carry an e-token to work.

The concept of One-Time-password solutions has already being implemented in many companies, I believe most of you must have seen your IT friends carrying the flashy tokens as a keychain, with 6 digit no’s flashing on the small LCD display, reminding of you of the Timer on a bomb that’s could blow off anytime, just like it does in most Hollywood movies, I have seen a couple of my friends trying to act techno-savvy, and impress their colleagues, trust me having used the token in the previous organization I worked for, one is better off without it.

Well if you wonder how the whole concept of One-Time-password solutions work, let me explain, 2 factor authentication means, you need to prove your authenticity to the server twice, yes you have a password and a RSA token, which displays a random password once every 60 seconds, if you need to log on to your email or any server, you need to enter the password followed by the password on the Token that you posses, the server that you authenticate to is synchronized with the Token allotted to you, so at any given point that random number on your token would be equal to the random number on the server for your user account, and your colleague’s token would have a different random number that is synchronized with his account on the server, so even if you share your password with your colleague he can use it once, as the password for each account would be changing once every 60 seconds, both on the server as well as on your token.

Ministry of Company Affairs, Government of India (GoI) has initiated MCA21 program, for easy and secure access to its services in a manner that best suits the businesses and citizens. MCA21 is envisioned to provide anytime and anywhere services to businesses. It is a pioneering program being the first mission mode e-governance project being undertaken in the country. This program builds on the GoI vision to introduce a Service Oriented Approach in the design and delivery of Government services, establish a healthy business ecosystem and make the country globally competitive. According to this program, it makes the use of digital signatures mandatory for both individuals and organizations dealing with the GoI

Well according to the Aladdin’s Genie, the European Union is trying to coming up with a similar act, and it comes up a pleasant surprise to most Indians as the Indian Information Technology Act is often criticized for having too many loopholes and for working on a reactive rather than an proactive basis, has managed to promote this concept ahead of the European council.

Digital Signature?? Similar to how one signs a document or a form, a digital signature is a process of signing an online document digitally, the analogy ends here. To sign a document digital you need a digital certificate, A digital certificate is issued by a Certificate Authority who owes the responsibility for issuing unique digital certificates to each individual so that he can be trusted after initiating any online transaction.

Digital Certificates are issued by Certification Authorities like Verisign, Thwate, Entrust, GeoTrust, and a few others. yupeeeeeeeee, India has now got its Certificate Authority called SafeScrypt provided by SifyComm in association with Verisign.

So by signing a document digitally, you attach your digital certificate to the document, and the receiver checks with the Certfication Authority if the certificate attached is a genuine one. However the certificate cannot be used by anybody else. (the whole concept of computing the hash of the document and signing it with your private key, and the receiver using your public key to compute the hash again and comparing them, and also verifying the authenticity of the certificate from the CA is beyond the scope of this Blog)

Well coming back the mystery behind security companies having their base in Israel, According to the Genie, Ori Ammar my trainer, the whole concept of having a strong cryptographic security base comes in from the Israel Military troops who came with proprietary security solutions for their data Networks across the country during the late 1980’s. Modern day Security companies have all been established by people who have retired from the Army. Unlike in other countries where even high secure Govt. & Military networks are built, operated and maintained by 3^rd party service providers external to the organizations. Phew was It the actual reason? Well according the fairytale the genie had no reason to lie.

The Genie and Me
(Ori Ammar - Alladin E-token Presales Consultant)

Having wrapped up the training session and having grabbed whatever I could from the genie, I picked up my gift –an Aladdin bag, and was on my way back home for the weekend.

Life back in the office is so monotonous, doing the same repetitive and boring work, seeing the same people, sitting on the same chair……… staring at the same female, sipping coffee from the same machine……………

Life is so boring, I keep hoping I would be nominated for some other training in the near future………………..