Universal security token , pictures …

Posted February 15, 2007
Filed under: authentication, crypto, esignatures, mobile, payments |

Some pictures of the coming soon mobile universal security token together with related user stories. For our fellow mobile application developers , during development we try to test on real devices as early as possible and we use for this a low end device. This allow being more efficient in adressing real world issues , as simulators are generally not matching well real device performances.
Phone display photographing is a pain , fortunatly we found a helpfull girl who knows …

First start :

Connection test on Nokia 3220 As the token requires network access , we first check that the device connection has been correctly parametrized. We found good inspiration by looking to Opera mini for this.
If only mobile operators were trying to help here by documenting clearly the settings for their APN on a per device basis.

Main Display:

Accounts list on Nokia 3220 It shows the accounts currently in the device. Two types of accounts can be registered, static (login,password) and token. All data are stored encrypted inside the device.
Token provides for authentication using time synchronous one time passwords and transaction validation using password signatures and ECDSA electronic signatures…

Token registration:

Token registration on Nokia 3220 We use same principles as in current version of the KerPass system. A set of registration secrets are transmitted to a designated end user. The end user enters such registration keys into the phone and from here the registration procedure is executed (authenticated Diffie-Helmann) to securely establish long term token parameters…
Not shown here , but fundamental to the safe operation of the system is a portable secure random generator that collect entropy from available sources…

Token resynchronization:

Resynchronization in progress on Nokia 3220 As end user may change time of the device , a command allow resynchronization accross the network. Token parameters are completly changed at this time increasing the overall security.

One time password generation:

New one time password on Nokia 3220 Basic principle of two factors authentication apply. The end user first enters a local password in the device , such password allowing to decrypt stored token parameters. A new password can be generated every 30 seconds…

Password signature generation:

Text to confirm inputted prior to password signature generation… This is a time synchronous one time password that also depends of a “text to confirm” manually entered in the phone by the end user. The end user experience is not unlike those sms payment systems , it is just that here transaction validation and authentication are addressed correctly…
See here for details on how this is used in external web applications.

ECDSA signature generation:

device after reception of text to to sign At registration time the device has generated a public,private key pair that is used for on device electronic signatures generation. The full user story is detailled here.
Not shown here , but fundamental to the safe operation of the ECDSA electronic signature is a portable secure random generator that collect entropy from available sources…

No comments yet

Leave a reply