Defeating the “Man in the Middle”, mobile SignCode to the rescue.

Right from the inception of the KerPass system, we considered “transaction validation” to be part of our roadmap. We took some time to develop a portable digital signature system based on elliptic curve cryptography and proposed additionally to it something we call “Password signature” which is a digital signature that you can use like a password. Read more »

Introducing GateKeeper , in browser single sign on extension

We think interesting to share with the community a development on which the KerPass engineers are currently working. The shot above shows the GUI part (xul widget) of the extension that shows in the browser at time an authentication request has been received. The extension allows relying website to require end user to authenticate at authentication portails that the relying site trusts for this purpose. GateKeeper is the much needed missing part for in browser single sign on to happen reliably on the web.
Read more »

Paypal , password key fob goes mainstream …

It is official for about a month that Paypal will offer to its users a password key fob , in order to protect them better against identity theft. They will distribute the one time password key fob of Verisign for this.

This will certainly help in protecting Paypal users against identity theft , as this makes password guessing extremely difficult meanwhile the user is offline , however it is not correct to report that this will solve the problem of phishing . A phisher can capture a time synchronous one time password in much the same way he can capture a standard password and reuse it for its own purpose.

One time passwords have been a milk cow for security firms like RSA security and Vasco for years. They provide a strong end user proof of identity , however some innovation is required to make them suitable for being used securely in the context of web applications. The bad idea here is to assume that if used alone passwords can be moved on the network…

Transaction validation : part 1 , password signatures

The current KerPass token only provide for end user authentication using OATH one time passwords. The new KerPass token (code name “universal security token”) will additionnaly provide solutions for transaction validation using two differents technologies : password signatures and ECDSA electronic signatures. In this post we will discuss how password signatures are working and what are the benefits of using them.

A few words first on what is meant by transaction validation. The idea here is to allow a end user in control of a workable token to proove that he really agree with the content of a transaction , he is supposed to have been engaged… A simple example of transaction is an online payment , how do you reinsurre your bank and/or the seller that you are really the initiator of such transaction ? It is well known that this is a problem not reliably solved in current Internet. Our new mobile token will allow the end user to give a strong proof of his approval of such transaction. Let’s see how this can be simply achieved with password signatures:
Read more »

Phishing , Dns poisoning , Man in the middle …

Let’s start our journey in modern web application security by reviewing what is behind those words widely used but poorly understood by the majority of us.

Things are really not as complicated as they sound , the main mechanism behind those vulnerabilities relates to the fact that the http protocol provides no guarantee that you (the internaut) is really interacting with the intended site. Using various strategies an adversary can insert itself in between your browser and the site you intend to visit , and reuse your credentials to achieve its own objectives…
Read more »