Verviam     Cyber Security     Create Account     Account Profile     Portal Sign In     User Guide    About Verv IAM     Contact Us

Simple Secure Identity Management

Verv IAM


       
 
Enter 6 digit PIN:     Enter password:  
  Your account requires VPN Sign in. Enter Account ID to verify Verv IAM VPN connection. Turn off VPN requirement
To ensure security of authentication, permitted maximum elapsed time since connection to VPN is 4 hours.


     

User Guide

Zero Trust and Identity-as-a-Service Cloud Security Alliance (CSA) Conference Presentation
Contact us for network and device customisation       Verv IAM Use Case Examples              Verv IAM Dashboard Examples       

Help Topics:            Configure Verv IAM VPN     Register Endpoints     Typical Use Cases           Credentials     Identity as a Service     Encryption

VPN Configuration

Verv IAM VPN protects your application, device and person end user sign in, to secure account private data over the internet. Account credentials are protected by a Client VPN.
If the 'VPN required' option is active, your VPN connection is a pre-requisite for sign in to the Verv IAM Portal. In any case, account sign in is required daily with an expiry time of 24 hours.

    1. Your VPN username is your AccountID@verviam.directory.com e.g. VP1234567890@verviam.directory.com. Copy and save your password.
        Your password is available from Register Verv IAM End Users/Endpoints.
    2. Save your VPN username and VPN password in a text file with the first line containing the username and the second line the password e.g. login.txt .
                VP1234567890@verviam.directory.com
                YourVPNPassword
    3. Download and install e.g. AWS OpenVPN Client version 3 or OpenVPN Community Client for your device operating system
    4. Download and save your VerviamVPN.ovpn configuration file. This is the configuration file required by your VPN Client.
    5. Change the Verv IAM VPN config file with the line auth-user-pass "c:\\your-vpn-config-directory\\login.txt". Note Windows requires double backslash.
    6. Download and save your VPN client certificate e.g. "c:\\my-config-directory\\client1.domain.tld.crt".
    7. Change the Verv IAM VPN config file with the line --cert. Note Windows requires a double backslash.
    8. Download and save your VPN client key e.g. "c:\\my-config-directory\\client1.domain.tld.key".
    9. Change the Verv IAM VPN config line --key. Note that Windows requires a double backslash.
    10. Configure your downloaded VPN client to use your saved Verv IAM VPN configuration file - VerviamVPN.ovpn
    11. Connect to the VPN. If you choose to require the VPN, you must be signed into the VPN before you can sign in to the Configure Users, Account Profile and Portal pages.


Endpoint Registration

     Register your destination endpoints (the URL in the form that your application expects) as follows:

    1. Enter your account number, plus the password and pin you provided when you set up the account.
    2. Look for an email with an MFA code.
    3. Enter the code into the browser MFA field.
    4. Enter a name for your endpoint REST service
    5. Select credentials type and encryption option for each REST service endpoint.
    6. Enter details for each endpoint, including optional parameters, tags and personal identity details.
    7. Press the "Send Request" button when the form is completed. You can access registration configuration to edit the values at any time.
    8. Connection details are returned to the browser as a JWS token, signed with your private key.
    9. Sign in to the Verv IAM Portal to access your REST services, or copy and use the connection details in e.g. a browser application.

Typical use cases

REST Services are generated with optional parameters, tags and scope. Each service is issued an identity token, a JWT that is validated at the Verv IAM Access Gateway.
Tokens can be automatically rotated daily. Credentials and parameters can be encrypted or decrypted as required.

     - for a personal sign in, this can be user ID and password or signed JWT
     - for smart devices, this can be device ID and secret or signed JWT
     - For applications, this can be client ID and client secret.
     - when the endpoint is a complete connection string, the credentials can be embedded in the string
     - for all end user types, the secret value can be a token in the format expected by your endpoint

Verv IAM provides the following credentials forwarding options for each REST service:
- Secret ID/Secret Value pair e.g. UserID and Password
- Connection URL e.g. database or device connection string
- JWT URL e.g. signed JWT with access scopes

    1. Go to Create a Verv IAM Account.
    2. Provide a name, email, pin and password and mandatory details.
    3. Follow the on screen instructions to complete the account set up. Look for a welcome email for further instructions.

Credential Types.

A Verv IAM signed JWT token protect your data from browser origin to the Verv IAM Access Gateway. Verv IAM recommends encrypting all secret data. For each destination endpoint request, the appropriate credentials type is selected:

     - Secret ID/Secret Value pair https://endpointURL?ID=yoursecretID&secretValue=yoursecretValue&tags=yourtags Secret ID/Value pair and tags are optionally encrypted
     - Connection string https://endpointURL?parameters=yourparameters&tags=yourtags Connection string parameters and tags are optionally encrypted
     - Signed JWT https://endpointURL?JWT=header.payload.signature&tags=yourtags Tokens are signed, tags are optionally encrypted


Each account is issued its own protected secret keys (endpoint public and private keypairs, and account secret key), all data is encrypted in transit to and from your browser over the internet, stored field encrypted in an encrypted data store. From the Verv IAM Access Gateway, credentials can be forwarded encrypted or decrypted, as required.

Identity as a Service:

Identity as a Service provides a signed JWT token for use with your application sign in. The token is exchanged for the application credentials at the Verv IAM access gateway. Configure your sign in details from the Registration module. Enter connection details for each user, the URL of the endpoint, plus optional scope information, parameters and attribute tags that your endpoint can use to authorize access to particular applications. An endpoint may also be a complete connection string including credentials (e.g. a server endpoint URL plus authentication, a database URL plus credentials). You can access and edit your endpoint configuration details at any time.

Verv IAM tokens are exchanged for destination endpoint connection details:

For each destination endpoint, Verv IAM provides a REST service and a unique endpoint JWT token that is validated at the Verv IAM Access Gateway, where private endpoint credentials are exchanged for the token prior to forwarding to the configured destination endpoints, encrypted as required.

Account private endpoint details are only accessed at runtime:

Connections to Verv IAM gateway are signed JWT tokens. They are validated then forwarded as REST calls from the Verv IAM Access Gateway to the configured destination endpoint. Tokens are signed with the account secret key, protected by encryption with the account public/private RSA keypair both in transit and at rest in the database. Endpoint secrets, parameters, scopes and tags encrypted with the account secret key can be decrypted on the destination server using the Node.js RSA library. It can be decrypted by the same library or any equivalent e.g. a Java RSA library See Verv IAM Encryption Information

Parameters can be sent encrypted or decrypted .

Depending on your use case (e.g. database connection, REST service to backend system), the token can be unencrypted at the Verv IAM Access Gateway, or you can elect to forward the JWS token to your endpoint and use your private key to decryption the payload prior prior to forwarding to your request endpoint destination system.

All account information is encrypted in process, in transit and at rest.

All account data is encrypted in the browser, transported across the internet encrypted, and stored encrypted. Not only private personal data, include name, email, pins and passwords, but also private technical technical data such as endpoints, parameters, connection URLs, tags and scopes. The only person who ever sees the technical and personal private data (PII), is the person who entered the details in the browser. Multi-Factor Authentication (MFA) is required by default for updating account profile and configuration details.

Verv IAM Access Gateway

After the endpoint JWS token is successfully validated, private endpoint details are accessed from the Verv IAM Access Gateway, and each connection request is forwared to the appropriate destination endpoint with the configured endpoint parameters. Registration encryption options can be reconfigured at any time. Encrypted parameters must be decrypted on the destination server with the account secret key.

Verv IAM Encryption

Strong encryption and key rotation

Each account has a unique secret key for use with the AES encryption algorithm. The secret key is protected by PKI encryption and stored field level encrypted in an encrypted database. The encryption algorithm is an RSA public/private keypair, with a keysize of 2048 bits, stored in a Key Vault. Keys can be rotated on demand. Verv IAM generates a JWS (signed JWT) for each endpoint, authenticating the token message hash at the Verv IAM Access Gateway. The token is used for identity validation of requests from all types of end user browser requests, applications and devices.

    - For the encrypted credentials option, an account Secret Key is used to encrypt credential parameters and tags.
    - For security reasons it is only provided in encrypted format as part of the credentials forwarding REST service.
    - Use the account Private Key to decrypt and validate the account secret key, ensuring the integrity of your REST Service.
    - The secret key is an input field to the Crypto.AES algorithm used to encrypt account parameters. It also decrypts the parameters.
    - The account RSA Public Private keypair is used to protect your secret key.

Crypto-JS encryption/decryption algorithm

All data is encrypted and decrypted in the browser using Javascript and equivalent Node.js Crypto-JS libraries used on the server, to decrypt and immediately re-encrypt with the account Secret Key prior to storage. The code snippet used for browser encryption/decryption of ALL account data is as follows:
    var encryptedData=CryptoJS.AES.encrypt(accountData, ephemeralKey);
    var encryptedString=encryptedData.toString();
    var bytes = CryptoJS.AES.decrypt(encryptedString, ephemeralKey;
    var plaintext = bytes2.toString(CryptoJS.enc.Utf8);
Use the decryption snippet at your endpoint.

RSA key pair encryption algorithm

The account secret key is encrypted with the RSA public private key pair required parameters of The RSA-Node Library code snippet used for encryption is as follows:
    const keypair = new NodeRSA();
    keypair.generateKeyPair(2048, 65537);
    var publicKey = keypair.exportKey('pkcs8-public-pem');
    var privateKey = keypair.exportKey('pkcs8-private-pem');
    var encryptBuffer = Buffer.from(secretKey);
    var encryptKey=keypair.encrypt(encryptBuffer);
    var encryptedKey=encryptKey.toString('base64');
The code snippet for decryption using the Node.js RSA algorithm is as follows:
    var decryptedKey = keypair.decrypt(encryptedKey, 'utf8');
Java can be used for decryption, however the java implementation has to match the Node-RSA options:
keypair.generateKeyPair([bits], [exp]) using default values: bits — {int} — key size in bits. 2048 and exp — {int} — public exponent. 65537