Simple Secure Identity Management

Cloud IDaaS for Internet End Users, Applications and Devices

User Guide        See Verviam Credentials Examples       

    Use Cases     Register Endpoints     Credentials     Identity as a Service     Encryption

Verviam provides the following credentials forwarding options for each REST service:
- Secret ID/Secret Value pair e.g. UserID and Password
- Connection URL e.g. database or device connection string
- JWT URL e.g. signed JWT with access scopes

Verviam Presentation at Cloud Security Alliance APAC Summit 2020    Zero Trust, Identity as a Service and Software Defined Perimeter

Typical use cases

REST Services are generated with optional parameters, tags and scope, issued a JWT token that is validated at the Verviam Access Gateway.
Credentials and parameters can be encrypted or decrypted as required.

     - for a personal sign in, this can be user ID and password or signed JWT
     - for smart devices, this can be device ID and secret or signed JWT
     - For applications, this can be client ID and client secret.
     - when the endpoint is a complete connection string, the credentials can be embedded in the string
     - for all end user types, the secret value can be a token in the format expected by your endpoint

    1. Go to Create a Verviam Account.
    2. Provide a name, email, pin and password and mandatory details.
    3. Follow the on screen instructions to complete the account set up. Look for a welcome email for further instructions.
Endpoint Registration

     Register your destination endpoints (the URL in the form that your application expects) as follows:

    1. Enter your account number, plus the password and pin you provided when you set up the account.
    2. Look for an email with an MFA code.
    3. Enter the code into the browser MFA field.
    4. Enter a name for your endpoint REST service
    5. Select credentials type and encryption option for each REST service endpoint.
    6. Enter details for each endpoint, including optional parameters, tags and personal identity details.
    7. Press the "Send Request" button when the form is completed. You can access registration configuration to edit the values at any time.
    8. Connection details are returned to the browser as a JWS token, signed with your private key.
    9. Copy and use the connection details as a REST service from e.g. a browser application.

Credential Types.

A Verviam signed JWT token protect your data from browser origin to the Verviam Access Gateway. Verviam recommends encrypting all secret data. For each destination endpoint request, the appropriate credentials type is selected:

     - Secret ID/Secret Value pair https://endpointURL?ID=yoursecretID&secretValue=yoursecretValue&tags=yourtags Secret ID/Value pair and tags are optionally encrypted
     - Connection string https://endpointURL?parameters=yourparameters&tags=yourtags Connection string parameters and tags are optionally encrypted
     - Signed JWT https://endpointURL?JWT=header.payload.signature&tags=yourtags Tokens are signed, tags are optionally encrypted

Each account is issued its own protected secret keys (endpoint public and private keypairs, and account secret key), all data is encrypted in transit to and from your browser over the internet, stored field encrypted in an encrypted data store. From the Verviam Access Gateway, credentials can be forwarded encrypted or decrypted, as required.

Identity as a Service:

Identity as a Service provides a signed JWT token for use with your application sign in. The token is exchanged for the application credentials at the Verviam access gateway. Configure your sign in details from the Registration module. Enter connection details for each user, the URL of the endpoint, plus optional scope information, parameters and attribute tags that your endpoint can use to authorize access to particular applications. An endpoint may also be a complete connection string including credentials (e.g. a server endpoint URL plus authentication, a database URL plus credentials). You can access and edit your endpoint configuration details at any time.

Verviam tokens are exchanged for destination endpoint connection details:

For each destination endpoint, Verviam provides a REST service and a unique endpoint JWT token that is validated at the Verviam Access Gateway, where private endpoint credentials are exchanged for the token prior to forwarding to the configured destination endpoints, encrypted as required.

Account private endpoint details are only accessed at runtime:

Connections to Verviam gateway are signed JWT tokens. They are validated then forwarded as REST calls from the Verviam Access Gateway to the configured destination endpoint. Tokens are signed with the account secret key, protected by encryption with the account public/private RSA keypair both in transit and at rest in the database. Endpoint secrets, parameters, scopes and tags encrypted with the account secret key can be decrypted on the destination server using the Node.js RSA library. It can be decrypted by the same library or any equivalent e.g. a Java RSA library See Verviam Encryption Information

Parameters can be sent encrypted or decrypted .

Depending on your use case (e.g. database connection, REST service to backend system), the token can be unencrypted at the Verviam Access Gateway, or you can elect to forward the JWS token to your endpoint and use your private key to decryption the payload prior prior to forwarding to your request endpoint destination system.

All account information is encrypted in process, in transit and at rest.

All account data is encrypted in the browser, transported across the internet encrypted, and stored encrypted. Not only private personal data, include name, email, pins and passwords, but also private technical technical data such as endpoints, parameters, connection URLs, tags and scopes. The only person who ever sees the technical and personal private data (PII), is the person who entered the details in the browser. Multi-Factor Authentication (MFA) is required by default for updating account profile and configuration details.

Verviam Access Gateway

After the endpoint JWS token is successfully validated, private endpoint details are accessed from the Verviam Access Gateway, and each connection request is forwared to the appropriate destination endpoint with the configured endpoint parameters. Registration encryption options can be reconfigured at any time. Encrypted parameters must be decrypted on the destination server with the account secret key.

Verviam Encryption

Strong encryption and key rotation

Each account has a unique secret key for use with the AES encryption algorithm. The secret key is protected by PKI encryption and stored field level encrypted in an encrypted database. The encryption algorithm is an RSA public/private keypair, with a keysize of 2048 bits, stored in a Key Vault. Keys can be rotated on demand. Verviam generates a JWS (signed JWT) for each endpoint, authenticating the token message hash at the Verviam Access Gateway. The token is used for identity validation of requests from all types of end user browser requests, applications and devices.

    - For the encrypted credentials option, an account Secret Key is used to encrypt credential parameters and tags.
    - For security reasons it is only provided in encrypted format as part of the credentials forwarding REST service.
    - Use the account Private Key to decrypt and validate the account secret key, ensuring the integrity of your REST Service.
    - The secret key is an input field to the Crypto.AES algorithm used to encrypt account parameters. It also decrypts the parameters.
    - The account RSA Public Private keypair is used to protect your secret key.

Crypto-JS encryption/decryption algorithm

All data is encrypted and decrypted in the browser using Javascript and equivalent Node.js Crypto-JS libraries used on the server, to decrypt and immediately re-encrypt with the account Secret Key prior to storage. The code snippet used for browser encryption/decryption of ALL account data is as follows:
    var encryptedData=CryptoJS.AES.encrypt(accountData, ephemeralKey);
    var encryptedString=encryptedData.toString();
    var bytes = CryptoJS.AES.decrypt(encryptedString, ephemeralKey;
    var plaintext = bytes2.toString(CryptoJS.enc.Utf8);

Use the decryption snippet at your endpoint.

RSA key pair encryption algorithm

The account secret key is encrypted with the RSA public private key pair required parameters of The RSA-Node Library code snippet used for encryption is as follows:
    const keypair = new NodeRSA();
    keypair.generateKeyPair(2048, 65537);
    var publicKey = keypair.exportKey('pkcs8-public-pem');
    var privateKey = keypair.exportKey('pkcs8-private-pem');
    var encryptBuffer = Buffer.from(secretKey);
    var encryptKey=keypair.encrypt(encryptBuffer);
    var encryptedKey=encryptKey.toString('base64');
The code snippet for decryption using the Node.js RSA algorithm is as follows:
    var decryptedKey = keypair.decrypt(encryptedKey, 'utf8');
Java can be used for decryption, however the java implementation has to match the Node-RSA options:
keypair.generateKeyPair([bits], [exp]) using default values: bits — {int} — key size in bits. 2048 and exp — {int} — public exponent. 65537