Troubleshooting
Problem
enhanced Security, credit card encryption, SSL, dual/two-factor authentication
Symptom
PART: Infrastructure 4.0 SP3 Platform
How can security to be enhanced
around Yantra application especially with reagrds to the Credit Card
information ?? How can Yantra application be modified to interface with a dual
authentication system ??
Cause
Resolving The Problem
Following are some of the measures that can be implemented to enhance the
security for the credit card numbers. The level of security to be implemented
should be determined by APL after considering the different client requests,
cost of investments, etc..
1. On Yantra, the credit card number can be
encrypted and the visibility of the decrypted credit card information can be
controlled at user group level. Rest of the users will be able to view only the
last 4 digits of the credit card(APL has already implemented it).
2. By
making sure all the communications outside firewall is through SSL protocol.
The SSL protocol maintains the security and integrity of the data transmission
between server and client by using encryption, authentication and message
authentication codes. Users from outside firewall will not be allowed to access
the Yantra application directly through the HTTP.
3. By implementing a
dual authentication system. A dual authentication (two-factor authentication)
involves in authenticating a user by "something the user knows"
(userid/password) and "something user has" (like a key card). One of the common
forms of the dual authentication is by time-synchronized key cards (like RSA
SecurID). The key card device will generate a string of numbers that changes in
a given period (e.g.: a minute). Users are required to enter the user id and
the number from the key card. The host system knows what that number is
supposed to be for that user at that particular time and use this information
to authenticate the user. This increases the protection against spoofing or
brute-force attacks.
Access to Yantra can be integrated to a dual
authenticating system by customizing login screen. New custom login screen(s)
will be developed and exposed outside the firewall. The users will enter user
id, password and the additional authentication information on the custom
screen. This input will be passed on to a custom jsp page that will interface
with the 3rd party software to authenticate the user. If the user is
authenticated, the custom jsp page will log the user into Yantra by invoking
the yantra standard login jsp (with the userid and password entered on the
custom screen). The following steps should be followed to ensure the security
and ease of use.
-- Users should not be permitted to access the standard
Yantra login page directly.
-- The standard Yantra login page will be
modified to redirect the users to the custom page, if accessed without a userid
and password. This will ensure that users will be redirected to the custom
login page on session time out or on log out.
-- The custom jsp page will
implement server side redirect using RequestDispatcher for added security
--
If the login request is from within the same firewall, the custom jsp page can
be enhanced to skip the 3rd party authentication steps
A sample
authentication jsp page is attached below:
<%!<br> boolean
validateAuthorizationID( String AuthId )<br> {<br> if (
AuthId.length() != 6 )<br> return false ;<br><br>
try<br> {<br> long lAuthId = new Long(AuthId).longValue()
;<br><br> if ( ( lAuthId % 10 ) >= 5 )
return
true ;
else
return false ;
}
catch ( NumberFormatException e )
{
return false ;
}
}
%>
<%<br> String strUser =
request.getParameter("UserId") ;<br> String strPasswd =
request.getParameter("Password") ;<br> String strAuthId =
request.getParameter("AuthenticationID") ;<br><br> String strDispatch = null
;<br> if ( validateAuthorizationID( strAuthId ) )<br> {<br>
strDispatch = "/yfsconsole/bin/login.jsp?userid=" +
strUser<br> + "&password="+
strPasswd<br> + "&redirect=&btnlogin=Login" ;<br>
}<br> else<br> {<br> strDispatch =
"/custom/remote_login.jsp?ErrorMsg"<br> +
"=Authentication Failed" ;<br> }<br><br> RequestDispatcher dispatcher =
request.getRequestDispatcher( strDispatch ) ;<br><br> dispatcher.forward(
request, response) ;<br>%>
Historical Number
PRI49204
Product Synonym
[<p><b>]Fact[</b><p>];
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21548119