Google apps will be protected by Arcot software smartcard

We are following carefully what is going on on this side for obvious reason, so the news that Arcot technology was selected to optionally deliver strong authentication to business customers accessing google apps is certainly something to watch.
Read more »

The mobile phone as a token container, can we trust storage ?

One question KerPass often receive relates to how safe is using a phone to store software token ? A mobile token like the one part of the KerPass UST system, requires storing several cryptographic keys. Security specialists generally consider that software token are not reliable because nearby malicious software can read and duplicate the private information it contains. Common sense certainly suggests that a secure storage system (eg smart card) is a better location to store private keys than say disk storage. That said the complete analogy that most are making in between the modern open and insecure pc and the mobile phone is not accurate. They are reasons beyond “It is nice to have that there…” that make the mobile phone well suited to be a token container.
Read more »

GateKeeper, open source site opened …

A new site has been opened which allow to support the GateKeeper development effort.

GateKeeper is an authentication bar that operates from the Firefox browser chrome area (no access to remote scripts…) and that allows password authentication using the SRP algorithm. This renders password authentication insensitive to Phishing or other MITM attacks.

Additionally the GateKeeper bar collaborates with a relevant authentication portal to authenticate the website into which user is about to enter (runtime certification…)

Sites that use GateKeeper authentication are completely immune to Phishing or other MITM attacks. GateKeeper can use static password or KerPass OATH one time password, this last combination providing optimal resistance against brute force, spyware and MITM.

Introducing GateKeeper , in browser single sign on extension

We think interesting to share with the community a development on which the KerPass engineers are currently working. The shot above shows the GUI part (xul widget) of the extension that shows in the browser at time an authentication request has been received. The extension allows relying website to require end user to authenticate at authentication portails that the relying site trusts for this purpose. GateKeeper is the much needed missing part for in browser single sign on to happen reliably on the web.
Read more »

Holdup on OpenId …

Meanwhile we were busy trying to evaluate if OpenId was an attractive in browser single sign on protocol , it looks that things have changed drastically on this side with the announcement of the alliance with microsoft cardspace.

It will be interesting to see how the dust will settle and if all the contributors that have invested valuable time and ressources in this effort feel happy about this move. On our side we have been following closely what was going on here , as we considered for a while that our strong authentication technologies could be used in the context of OpenId identity provider portails.
Read more »

French TV has found it : sms can be spoofed …

A report made the headline of the French national news of yesterday (February 5th 2007) that it is actually possible to make a sms appear to come from a person that has not sent it. It took apparently a Belgian engineer to convince the French police that this is easy to achieve , and french mobile operators have acknowledged that this is a problem the technology has.
Read more »

Phishing , Dns poisoning , Man in the middle …

Let’s start our journey in modern web application security by reviewing what is behind those words widely used but poorly understood by the majority of us.

Things are really not as complicated as they sound , the main mechanism behind those vulnerabilities relates to the fact that the http protocol provides no guarantee that you (the internaut) is really interacting with the intended site. Using various strategies an adversary can insert itself in between your browser and the site you intend to visit , and reuse your credentials to achieve its own objectives…
Read more »