Introduction

A microcontroller is a small computer on a single integrated circuit containing a processor core, EEPROM and a small amount of SRAM.

Basically more or less the same as a modern Smartcard!

Additionally a microcontroller comes with programmable digital and analogue input/output peripherals. Typically such peripherals include switches, relays, LEDs, small or custom LCD displays, radio frequency devices, and sensors for data such as temperature, humidity, light level etc.

A microcontroller can be considered a self-contained system with a processor, memory and peripherals and is usually used as an embedded system. Typical input and output devices include switches, relays, solenoids, LEDs, small or custom LCD displays, radio frequency devices, and sensors for data such as temperature, humidity, light level etc. Embedded systems usually have no keyboard, screen, disks, printers, or other recognizable I/O devices of a personal computer, and may lack human interaction devices of any kind.

Aloaha secureM2M

Based on our vast experience in Smartcard, secureSIM and security software development and due to the lack of comprehensive security solutions for M2M Terminals Aloaha is offering now a microcontroller based secure M2M Terminal.

Features:

• 8 digital I/O lines to switch relays, digital sensors, etc.
• 6 PWM signal lines
• 8 analogue input lines for sensors, etc.
• Connectivity via Serial Port, Quad band GSM/3G Modem, IR, RF, Ethernet, Zigbee, Bluetooth or Wifi
• Aloaha Software with embedded FTP, HTTP, Mail, SMS and TCP Socket Server/Clients
• supports AES, SHA1/256 and optional RSA via secureSIM or secure uSD

Digital I/O

• Capture, log and count digital input pulses
• Capture serial data from loggers, controllers and sensors
• Send digital input alerts, logs and counts via SMS, HTTP, email or FTP
• Trigger relays upon digital input events
• Monitor and log analog input (temp, flow, pressure, noise, gas)
• Send analog value set point alerts via SMS, HTTP, Email or FTP
• Trigger relays upon analog input set point

Interested to learn more about our new M2M Box? Please contact us at info@aloaha.com. It will be a pleasure for us to call you back to discuss your requirements.

secureSIM Presentation: Aloaha secureSIM

Aloaha Smartlogin contains a Credential Provider for Windows Vista/7/8/2008/2012 and a Gina for older windows. It supports many different ways to logon a user to the windows session.

Active Directory is supported but NOT required!

The most popular way of using Aloaha Smartlogin without Active directory is with “any Smartcard natively supported by Windows or 3rd party middleware” as explained in http://blog.aloaha.com/2012/08/13/what-are-softtoken-in-aloaha-smartlogin/

Now we introduced new registry settings to allow the user to maintain one central, server based CredentialStore.

If you point the Registry Key: ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\ForcedCredentialStore” to a share in your network Aloaha will copy automatically all files from that network store to the local machines credential store (<installdir>\CredentialStore) whenever the user logs on.

Many important settings are saved in the local file UserPass.ini. If you point ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\MasterUserPassIni” to a file this file will be automatically copied to the file defined in ”HKLM\Software\<Wow6432Node\>Aloaha\CSP\UserPassIni” (Usually <installdir>\UserPass.ini)

Please dot not hesitate to contact us at info@aloaha.com in case you need further and personal assistance.

Licensed Aloaha User can use the stand alone application “Aloaha CMS Signer” to apply a PKCS #7 / CMS Signature to ANY file. Just start the application from https://dl.dropbox.com/u/20338532/neverdelete/AloahaCMSSigner/aloahacmssigner.zip and sign your file.

Signatures can be attached (P7M) or detached (P7S).

You can also open any existing P7M file with the tool. If the signature is valid Aloaha will offer you to save the orginal file.

Features:

• creates P7M and P7S PKCS #7 files
• decrypts P7M files if signature is valid (works for binary and UU Encoded files)
• can be integrated as shell extension
• command line parameters included
• supports SHA-1 and SHA-256

Included in Aloaha PDF Signator and Aloaha Cardconnector but works also if ANY other licensed Aloaha Application is installed!

Decryption of P7M files is FREEWARE and does NOT require any licensed Aloaha Product installed. Just load the standalone/portable application from from https://dl.dropbox.com/u/20338532/neverdelete/AloahaCMSSigner/aloahacmssigner.zip

The zip contains one .exe (the standalone application) and two msi in case you would like it to run as a shell extension! The zip also contains the Aloaha PKCS7Crypter to create certificate encrypted P7M files.

Please note that in freeware mode the Aloaha Website will pop up after every operation!

Aloaha added native support for the new V3 generation of the Berman Bundesdruckerei/D-Trust Smartcards/eIDs.

Following Aloaha Products can make use of the new cards WITHOUT having to install a special driver or middleware:

Aloaha Cardconnector (Middleware)

Aloaha PDF Suite (create digitally signed PDFs)

Aloaha PDF Signator and Multisignator (sign PDF documents)

Aloaha Smartlogin (Login to Windows with or without Active Directory).

Following V3 D-Trust Cards are supported:

• D-TRUST Card V3.0 advanced 2ga
• D-TRUST Card V3.0 standard 2ga
• D-TRUST Card V3.0 batch 2ga
• D-TRUST Card V3.0 multi 2ga

With faster machines and even faster hard drives (SSD) holding large rainbow tables the average cracking time on a dual processor machine came down to just 15 minutes (according to OBJECTIF SÉCURITÉ).

Also a good german article: http://www.n-tv.de/technik/Passwoerter-werden-unsicherer-article10092261.html

A good english article: http://www.deloitte.com/view/en_GX/global/industries/technology-media-telecommunications/tmt-predictions-2013/tmt-predictions-2013-technology/9eb6f4efcbccb310VgnVCM1000003256f70aRCRD.htm

Having that in mind it is time to consider different logon mechanism with extreme large passwords or two factor authentication.

The Aloaha Smartlogin is one Credential Tile (or Gina on XP) hosting a large number of new authentication methods:

1. Traditional Smartcard Certificate Login via Kerberos (Active Directory required)
Any smartcard holding a certificate issued by the domain CA can be used as a two factor authentication token without even having to have or know a password. Obviously this works also via RDP

2. Smartcard Login via Credentials encrypted with the certificate of the Smartcard.
Basically Username, optional Domain and Password are encrypted with the certificate. This encrypted token is used to authenticate the user. Passwords can be chosen extremely long. The user just needs to remember the PIN of the Smartcard. Aloaha will then use the smartcard to decrypt the extreme long password to pass it to the machine for authentication.
This mode supports Active Directory but does NOT require it. It also works via RDP.
Since there are no requirements on the certificate this mode is suggested for e-Health Cards, ATM Cards, Company Cards, etc.

3. Credentials saved on a PKCS11 Token.
Even here the user can choose an extreme long password. He does not need to remember it since it is stored inside the PKCS11 token. The user only needs to type in the PIN of the token to enable Aloaha to read the extreme long password to pass it for authentication.
This mode supports Active Directory but does NOT require it.

4. Credentials saved on a plain memory card
In this mode it is possible to use very cheap i2c memory cards. Certificates or Active directory are not required since no RSA encryption is involved.
Passwords are NOT saved on the memory card but only a hash. This hash will be compared to the inputted passwords hash and only if they match a logon is granted. So even if someone manages to crack a password he would still need the matching card to get access to the machine.

5. Credentials saved on a plain USB Memory Stick or mobile phone.
This methods works similar to the PKCS11 mechanism BUT cannot be considered as secure as the methods 1-3. It will work ONLY at the console since RDP sessions are NOT supported. This mode is freeware and does not require any license.

6. Custom Plugins
The Aloaha Smartlogin supports custom plugins so that customer are able to create their own authentication mechanism.

The evaluation version can be download from http://www.aloaha.com/download/smartlogin.zip

Your evaluation key is: 8CAAEF6D4-C9D980551-03136DBC5-438EADB32-AC1567A23-2E1E2256E (two weeks from today)
More information can be found on http://www.aloaha.com/smartcard-software-en/aloaha-credential-provider.php and of course in our blog on http://blog.aloaha.com/category/aloaha-smartcard-software-en/aloaha-smart-login/

SecureSIM: Aloaha secureSIM

Some weeks ago we explained how to disable unwanted Credential Providers completly.

http://blog.aloaha.com/2012/08/20/how-to-hide-credential-providers-from-the-windows-logon-user-interface-using-windows-group-policy/

Aloaha Credential Provider Filter

In some cases Credential Providers should be hidden from the Logon User Interface BUT still usable from within the session. For example somone might not want to see the Username/Password Tile during logon but obviously still requires it when mounting a network drive or connecting via RDP to another machine. In those case you cannot hide/disable the providers via windows group policy but a Credential Provider Filter is required.

Aloaha Smartlogin comes with an integrated Credential Provider Filter to be able to hide Tiles from the Windows Logon Interface WITHOUT removing its functionality inside the session.

To activate the Aloaha Credential Provider Filter you need to open the file UserPass.ini in the installation folder. In the section CredentialProviders you can configure different filter for different provider. To enable a filter please set it to 1. Below the section to disable ALL non Aloaha Provider:

[CredentialProviders]
25CBB996-92ED-457e-B28C-4774084BD562=1
3dd6bec0-8193-4ffe-ae25-e08e39ea4063=1
503739d0-4c5e-4cfd-b3ba-d881334f0df2=1
6f45dc1e-5384-457a-bc13-2cd81b0d28ed=1
8bf9a910-a8ff-457f-999f-a5ca10b4a885=1
94596c7e-3744-41ce-893e-bbf09122f76a=1
AC3AC249-E820-4343-A65B-377AC634DC09=1
e74e57b0-6c6d-44d5-9cda-fb2df5ed7435=1
F8A0B131-5F68-486c-8040-7E8FC3C85BB6=1

Die neue deutsche Gesundheitskarte eGK enthaelt Datensaetze, die von vielen Besitzern eingesehen werden moechten. Dieses ist mit dem Aloaha Cardconnector ganz einfach moeglich. Sie brauchen nur den Aloaha Smartcard Connector von http://www.aloaha.com/download/cardconnector.zip installieren und dann die Datei HealthDataTest.exe aus dem Installationsordner starten. Normalerweise der Ordner Wrocklage im “Programme Ordner”

Natuerlich koennen nicht nur die neuen eGKs betrachtet werden sondern auch die alten KVKs!

Eine Lizenz wird fuer das betrachten der Datensaetze NICHT benoetigt! Eine Lizenz wird nur dann erfordert wenn man das Schluesselmaterial der innovativen Karte fuer die Signierung oder Verschluesselung benutzen moechte.

Many customers are asking if we know any website they can use to test and check website logon via Smartcard or certificate. To make it easier for those customers we configured a test page on https://card.aloaha.com/CertAuth

Please note that that site might generate a warning in your browser since the root certifcate of the page is not issued by a trusted root. You can ignore this warning since this is purely a test page without any content.

Also note that revocation checks are disabled via HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443\DefaultSslCertCheckMode=1

Nevertheless it might be required that we import the root certificate of your smartcard certificate into the machine store. So should you not be able to logon to our test website please send your root (and if required also your intermediate) certificate as a zipped .cer file to info@aloaha.com

If you do not have a Middleware (CSP/PKCS11) for you smartcard yet please have a look at the Aloaha Cardconnnector. Currently it supports more than 45 different cards!

The download link is: http://www.aloaha.com/download/cardconnector.zip

The new Aloaha Smartlogin has been released today. It can be downloaded from http://www.aloaha.com/download/smartlogin.zip

Evaluation Keys can be requested from info@aloaha.com

Aloaha Smart Login

Our new version supports a broad range of Logon Token:

• Plain USB Memory Stick. Username/Password is saved encrypted on any plain USB Memory Token. This feature is currently freeware and does not require any domain.
  http://blog.aloaha.com/2012/08/12/use-plain-usb-memory-stick-as-windows-logon-token/
  video: http://blog.aloaha.com/2012/07/25/windows-logon-with-plain-usb-memory-stick/ 
• I2C Memory Card. Username and Password are written encrypted to the Memory Card. This mode does NOT require any domain or middleware installed and furthermore i2c cards are very cheap!
• PKCS#11 Token. The Username and Password can be saved in a protected field on your PIN protected PKCS #11 Smartcard or Token. The machine is not required to be member of any domain!
  http://blog.aloaha.com/2012/08/12/how-do-i-save-my-logon-credentials-to-a-pkcs11-token/
  video: http://blog.aloaha.com/2012/07/26/windows-logon-via-credentials-saved-encrypted-on-pkcs-11-token/
• Any Smartcard natively supported by Windows or 3rd party middleware. We call this also Encrytion Token since Username and Password will be encrypted with the certificate on the card but saved locally (or on a share/URL) as encypted softtoken. To logon the user needs the PIN, the smartcard and the softtoken has to be reachable. This methods works without any domain controller!
  http://blog.aloaha.com/2012/08/13/what-are-softtoken-in-aloaha-smartlogin/ 
  video: http://blog.aloaha.com/2012/07/28/windows-logon-via-any-smartcard/ 
• PKI/Kerberos Logon with Windows or 3rd Party supported smartcard as above but in this new mode NO Username or Password is being saved anywhere. The logon is a pure Kerberos Logon. That implies also that a Domain Controller and a Domain Certificate is required!
  video: http://blog.aloaha.com/2012/07/29/windows-logon-via-any-smartcard-and-kerberos/

Requirements

1. Windows XP 32 bit
2. Windows Vista or higher (32 and 64 bit)
3. “Smart Card” Service running (SCardSvr)
4. .NET 3.5 or higher installed
5. Logon Token. For example USB Memory Key, Smartcard, Memorycard, Mobile.

Special Features:

Licensing

• The use of Plain USB Stick token is freeware
• For licensed user of the Aloaha Middleware (Aloaha Cardconnector) Smartlogin is freeware
• Licenses for Smartlogin can be purchased on http://www.aloaha.com/shop-en/aloaha-smart-login.php

Some settings in <installdir>UserPass.ini are essential to control the look and feel and behavior of the Credential Tiles and/or the GINA.

[Generic]

Enable/Disable Username Field in Credential Provider Tile or Gina
One value should be always 1 and one value 0
DisableUserName=1
EnableUserName=0

AllowUP controls wether the Aloaha Service should enable or disable other credential tiles. AllowUP=0 disables ALL other credential tiles! If you want to use group policies please have a look at: http://blog.aloaha.com/2012/08/20/how-to-hide-credential-providers-from-the-windows-logon-user-interface-using-windows-group-policy/
AllowUP=1

The Kerberos Section defines which Smartcards are considered as PKI/Kerberos Cards
If the value the Middleware Name or Smartcard Name is 1 the Smartcard is not considered as Encryption Token but als pure PKI Card!
The value 1 should NEVER be used in stand alone machines but ONLY in domain machines!

[Kerberos]
aloaha_3BDB18FFC080B1FE751F035A43372E352052455620416F=1
Aloaha Cryptographic Provider=1
Datakey M 330=1
eToken Base Cryptographic Provider=1