Secure Online Transactions With Snorkel

by Julia Fernandes    Jul 12, 2005

Odyssey Technologies recently launched Snorkel, a security gateway appliance that sits strategically between the Web application and its clients - Internet browsers and other Snorkel thick client components.

In an exclusive with CXOtoday, B. Shiva Shanker, vice president, Odyssey Technologies Ltd., said, “The most significant USP of this product is its non-invasive deployment. It fits seamlessly into the existing applications without the need to change even a byte of code in the application. It isolates security logic from the application. The security logic can evolve independently, as the security scenario changes. Similarly, the application(s) can evolve to meet the growing business needs, independent of the security logic.”

Continuing further he said, “Snorkel facilitates digital certificate users and password users to co-exist, which removes the headache of managing two different infrastructures for providing these two different authentication models. It features a distinctive migration model that enables password users to migrate to digital certificates based on their need.”

Snorkel is an edge security gateway appliance that provides authentication with digital certificates, channel privacy with SSL and integrity with digital signatures. It enables, verifies, and preserves digitally signed transactions. The appliance is designed to deliver authentication, data integrity, non-repudiation, and confidentiality services to Web applications and its users through the use of the Public Key Technology.

According to Shanker, “Snorkel can provide Transaction Security to all applications that deliver their services through a HTTP(S) transport and a Web browser.”

Snorkel extends digital signature and encryption functionalities to Web applications as a transparent middleware and can service multiple Web applications simultaneously. It helps in implementing authentication, channel security, access control, transaction security and message level security - the keys for enterprises to expand trusted relationships with customers, partners, suppliers and channels across the Web.

Snorkel leverages the 64-bit computing power, utilizing the enhanced memory and optimised 64-bit Linux kernel to deliver over 20 times faster performance in RSA operations. In addition, it provides performance equal to or exceeding cryptographic accelerators that are necessary for today’s SSL protected web applications. A single Snorkel appliance can service upwards of a million users.

Speaking in terms of security, Shanker said, “Snorkel supports the four pillars of e-commerce: Authentication, data integrity, privacy, and non-repudiation. The two factor authentication supported by Snorkel uses Digital Certificates (X509v3) for authentication, follows 128-bit strong encryption for channel security, keeps data safe during transmission and transactions are digitally signed for data integrity and non-repudiation.”

“In addition the logs provide useable tracking information, which will help in forensics in case of disputes. Snorkel security cover is extended right from the browser to the Web application, which is close to the best that can be provided in the context of the security technology that is presently available,” noted Shanker.

The domain that Snorkel normally operates in is fairly complex and evolves at a faster rate than the rest of the technology itself. It becomes all the more important to ensure that Snorkel itself is adequately secure. The architecture is designed to handle unknown network conditions, complex hack attacks, or unfamiliar content structures. Access to the appliance is only through secure remote connections (SSH) and all administrative activities are digitally signed and logged.

Snorkel, with its plug-n-play model and Web-based administration interface ensures painless administration of the appliance. All activities carried out by the administrators are secured cryptographically (using digital signatures) and the signatures are archived for audit trail purposes.

In the banking vertical it can be used for corporate and retail banking such as instructions for salary upload, bulk DD issuance, vendor/dealer payments. B2B services, Inter branch workflow applications, online trading instructions, depository participant and stock broker transactions, etc. The solution also has applications in the manufacturing, healthcare services and ISPs.

According to Shanker, Snorkel is licensed on named-user basis. It starts from 1000 users and can go up to several millions upwards of Rs 10 lakh.

Touching upon the merits and demerits of various security standards, he said, “Many business applications which support transactions with financial implications continue to use passwords and server side SSL for security. Passwords provide very limited security and pose a serious vulnerability. Two-factor authentication using one-time password solutions such as SecurID from RSA provides very little security beyond authentication. VPN has its limitation when it comes to non-repudiation.”

Advising enterprise IT heads, Shanker said, “CIOs managing online business infrastructures such as e-banking / e-tailing should be able to provide guarantees for transaction and data safety to the consumers. Consumer confidence in the security measures and data privacy would automatically encourage more business. CIOs should also evaluate digital certificate based two-factor authentication for their transaction applications and digital signatures for non-repudiation - as it is protective to both, the service provider and consumer.”

Chennai-based Odyssey Technologies, offers solutions built around Public Key Technology. Some of its partial client list include Anna University, Asian Paints, Centurion Bank, Dr. Reddy’s Laboratories and HDFC Bank and Stock holding Corporation of India Limited.

Tags: security