Meet us at e-Smart 2008

KerPass will make a presentation at e-Smart conference on the 18th of September 2008. We will present advanced solutions for delivering reliable software tokens on networked devices.

Defeating the “Man in the Middle”, mobile SignCode to the rescue.

Right from the inception of the KerPass system, we considered “transaction validation” to be part of our roadmap. We took some time to develop a portable digital signature system based on elliptic curve cryptography and proposed additionally to it something we call “Password signature” which is a digital signature that you can use like a password. Read more »

New KerPass API on line

We took quite a while to come here, but the new API is finally operational :
Time synchronous one time password and ECDSA digital signatures can be used in the context of any web application, after installing KerPass onto end user mobile phone.

• The demo as usual allows an efficient hand on introduction to the complete system
• At https://realm.kerpass.com/ you find a web application for creating and administering security realm to support your own applications
• The url https://api.kerpass.com/ provide full access to the api.
• All KerPass documentation can be found here.

Don’t hesitate to contact us to obtain the necessary applications to install onto end user mobile phone.

Universal security token , pictures …

Some pictures of the coming soon mobile universal security token together with related user stories. For our fellow mobile application developers , during development we try to test on real devices as early as possible and we use for this a low end device. This allow being more efficient in adressing real world issues , as simulators are generally not matching well real device performances.
Phone display photographing is a pain , fortunatly we found a helpfull girl who knows …

First start :

As the token requires network access , we first check that the device connection has been correctly parametrized. We found good inspiration by looking to Opera mini for this. If only mobile operators were trying to help here by documenting clearly the settings for their APN on a per device basis.

Read more »

Transaction validation : part 2 , ECDSA signatures

Electronic signatures as offered by public key cryptography have impressing capabilities , combine those with the ubiquituous mobile phone and a global validation service that can be accessed from anywhere and you start seing many of the problems that are plagging today online electronic transaction as solved.

What we will show today is the way we integrate the token ECDSA signature capabilities with relying external web application. We take the view that end users will continue to use the desktop browser for the years to come , so part of the problem is how to integrate the on desktop accessed web application with the mobile token.
Read more »

Transaction validation : part 1 , password signatures

The current KerPass token only provide for end user authentication using OATH one time passwords. The new KerPass token (code name “universal security token”) will additionnaly provide solutions for transaction validation using two differents technologies : password signatures and ECDSA electronic signatures. In this post we will discuss how password signatures are working and what are the benefits of using them.

A few words first on what is meant by transaction validation. The idea here is to allow a end user in control of a workable token to proove that he really agree with the content of a transaction , he is supposed to have been engaged… A simple example of transaction is an online payment , how do you reinsurre your bank and/or the seller that you are really the initiator of such transaction ? It is well known that this is a problem not reliably solved in current Internet. Our new mobile token will allow the end user to give a strong proof of his approval of such transaction. Let’s see how this can be simply achieved with password signatures:
Read more »