Meet us at e-Smart 2008

KerPass will make a presentation at e-Smart conference on the 18th of September 2008. We will present advanced solutions for delivering reliable software tokens on networked devices.

Defeating the “Man in the Middle”, mobile SignCode to the rescue.

Right from the inception of the KerPass system, we considered “transaction validation” to be part of our roadmap. We took some time to develop a portable digital signature system based on elliptic curve cryptography and proposed additionally to it something we call “Password signature” which is a digital signature that you can use like a password. Read more »

Google apps will be protected by Arcot software smartcard

We are following carefully what is going on on this side for obvious reason, so the news that Arcot technology was selected to optionally deliver strong authentication to business customers accessing google apps is certainly something to watch.
Read more »

The mobile phone as a token container, can we trust storage ?

One question KerPass often receive relates to how safe is using a phone to store software token ? A mobile token like the one part of the KerPass UST system, requires storing several cryptographic keys. Security specialists generally consider that software token are not reliable because nearby malicious software can read and duplicate the private information it contains. Common sense certainly suggests that a secure storage system (eg smart card) is a better location to store private keys than say disk storage. That said the complete analogy that most are making in between the modern open and insecure pc and the mobile phone is not accurate. They are reasons beyond “It is nice to have that there…” that make the mobile phone well suited to be a token container.
Read more »

New KerPass API on line

We took quite a while to come here, but the new API is finally operational :
Time synchronous one time password and ECDSA digital signatures can be used in the context of any web application, after installing KerPass onto end user mobile phone.

• The demo as usual allows an efficient hand on introduction to the complete system
• At https://realm.kerpass.com/ you find a web application for creating and administering security realm to support your own applications
• The url https://api.kerpass.com/ provide full access to the api.
• All KerPass documentation can be found here.

Don’t hesitate to contact us to obtain the necessary applications to install onto end user mobile phone.

Will NFC emerge ?

As others we are quite interested in the possibilities opened by the near field communication interface expected to be on a fair number of european smart phones by year 2011-2012. Our interest was initially sparked by questions asking us how the KerPass mobile transaction validation solution was related to the proximity payment systems based on the NFC technologies. As of today, there is no relation in between those two solutions except that both deal with personal transaction validation. Meanwhile in Japan and other advanced Asian countries real world point of sale payment system allow to use a mobile phone as a contactless payment card , the rest of the world is engaged in lengthy field pilot trials of payment/ticketing systems based on much the same technologies. In what follows we rapidly mention what capabilities NFC add to the ubiquituous smartphone, and mention our view that point of sale transaction validation maybe tackled as efficiently leveraging what mobile phones already have.
Read more »

Introducing GateKeeper , in browser single sign on extension

We think interesting to share with the community a development on which the KerPass engineers are currently working. The shot above shows the GUI part (xul widget) of the extension that shows in the browser at time an authentication request has been received. The extension allows relying website to require end user to authenticate at authentication portails that the relying site trusts for this purpose. GateKeeper is the much needed missing part for in browser single sign on to happen reliably on the web.
Read more »

Universal security token , pictures …

Some pictures of the coming soon mobile universal security token together with related user stories. For our fellow mobile application developers , during development we try to test on real devices as early as possible and we use for this a low end device. This allow being more efficient in adressing real world issues , as simulators are generally not matching well real device performances.
Phone display photographing is a pain , fortunatly we found a helpfull girl who knows …

First start :

As the token requires network access , we first check that the device connection has been correctly parametrized. We found good inspiration by looking to Opera mini for this. If only mobile operators were trying to help here by documenting clearly the settings for their APN on a per device basis.

Read more »

Transaction validation : part 2 , ECDSA signatures

Electronic signatures as offered by public key cryptography have impressing capabilities , combine those with the ubiquituous mobile phone and a global validation service that can be accessed from anywhere and you start seing many of the problems that are plagging today online electronic transaction as solved.

What we will show today is the way we integrate the token ECDSA signature capabilities with relying external web application. We take the view that end users will continue to use the desktop browser for the years to come , so part of the problem is how to integrate the on desktop accessed web application with the mobile token.
Read more »

Moving to elliptic curve cryptography …

It took us quite a while to set it right , but we eventually have our own elliptic curve crypto library up and running. KerPass aligns itself with US government security practice . This move means a lot in term of coming features for the system , as this will enable us to improve token capabilities with the possibility to generate non repudiable electronic signature on the phone.

What we have learnt on the way , is that if you target mobile java device there is currently no off the shelf library that delivers sufficient performance for ECC to perform acceptably well on low end java enabled phone. Hence the bold move of doing it ourselves , in an effort to make it fast (using well known optimizations) without resorting to use patented shortcuts.