Google apps will be protected by Arcot software smartcard

We are following carefully what is going on on this side for obvious reason, so the news that Arcot technology was selected to optionally deliver strong authentication to business customers accessing google apps is certainly something to watch.

How does it work ?

The Arcot solution primarily consists in an in browser Flash client application which takes the place of standard login/password form. The flash application allows end user password to be entered in the same way as it would in “normal” web application, but instead of forwarding such password to the server hosting the web app, it is used on the client machine to decrypt an RSA private key, which is then used to sign a challenge, the signature serving as a proof of end user identity.

The file holding the private key is stored in a flash shared object, so this system is normally resistent against phishing as code not originating from the same domain as the one which issued the application having stored the key will never be in a position to make use of it. Unless there are things we don’t get, we doubt however that such a system provide meaningfull resistance against other type of Man in the Middle attacks, as after dns highjacking mobile code will probably have full access to such key. Browser end user warning panel in case of certificate problem provide very brittle protection in such circonstances.

Software smart card

Arcot has probably coined the term software smartcard, their realisation provide some improvement over PKCS 5 password encryption of the private key file. This approach has some drawbacks, mainly the fact that the public key is not anymore public as it can help in retrieving the private key value and loss of the password probably necessitates changing the private key.

The solution is elegant in its attend to only depends of widely available browser technology and in leveraging same origin policy to at least prevent phishing to take place. Expect more from us on this side