Defeating the “Man in the Middle”, mobile SignCode to the rescue.
Right from the inception of the KerPass system, we considered “transaction validation” to be part of our roadmap. We took some time to develop a portable digital signature system based on elliptic curve cryptography and proposed additionally to it something we call “Password signature” which is a digital signature that you can use like a password. We received comments that the usability of our initial “password signature” system could be improved, main reported drawback was the need to manually input the message to be signed. In the meantime it also appeared valuable to let the “Password Signature” benefits from the progress of both our mobile digital signature system (automation of document transfer) and the KerPass one time password system. Our new SignCode system integrates those progress and offers a valuable solution to counter “Man in the middle” attack on in browser delivered web applications.
SignCode at work
SignCode is a type of “one time password” that is also depending upon the content of a certain transaction. A SignCode allows to validate that a certain user agrees with a certain transaction at a certain time. Let’s see how a user who is interacting with a web application can use a mobile to reliably deliver his agreement.
transaction initiation
This is not detailled here but typically happens on the web interacting with one of your favorite application. Let’ say that the required transaction is a payment (everybody those days appear to be chasing payment securisation…), the web application will call the KerPass grid and forward a message summarizing the transaction.
 |
Phone message retrievalPrior to the transfert of the transaction summary to the KerPass grid, the web application has authenticated the phone bearer . The KerPass grid responds to the web application with a message key. The end user enters such key into its phone, which results in phone/grid mutual authentication and delivery of the transaction summary if the phone has been recognized by KerPass as the intended destinary. |
 |
On phone transaction reviewThe message is now on the phone for secure review by the end user. The system offers some interesting guaranties :
|
 |
On phone approvalThis is it, the end user has made up his mind. He chooses whether he wants to approve or reject the submitted message. |
 |
On Phone SignCodeThe SignCode is calculated from a secret key, the reviewed message , the chosen approval and the current time… It is valid for atmost 5 minutes. User uses it as a password and enters it into web application. |
A man in the middle and your SignCode
“Man in the Middle” attacks are currently a non solved problem for in browser web application. The well known “Phishing” attack is a type of “Man in the Middle”. For more information the interested reader may read this post.
SignCode do not prevent “MITM” attacks to take place, however they render them uninteresting as after a SignCode has been captured it may be only used for the purpose that the end user has assigned to it. Public key digital signature may be a stronger tool for this purpose, however it is more complicated/costly to integrate. SignCode a close relative of the well known password is the simplest thing that can possibly help in solving the security risk associated to “MITM” attacks. A KerPass extended mobile phone delivers those easily.
The maths behind SignCode
SignCode are really a variation on the well known idea of one time password. For more on one time password you may refer to this post.
Some possible algorithms for delivering SignCode are described here.
KerPass delivers time synchronous SignCode for enhanced security.
