The mobile phone as a token container, can we trust storage ?

One question KerPass often receive relates to how safe is using a phone to store software token ? A mobile token like the one part of the KerPass UST system, requires storing several cryptographic keys. Security specialists generally consider that software token are not reliable because nearby malicious software can read and duplicate the private information it contains. Common sense certainly suggests that a secure storage system (eg smart card) is a better location to store private keys than say disk storage. That said the complete analogy that most are making in between the modern open and insecure pc and the mobile phone is not accurate. They are reasons beyond “It is nice to have that there…” that make the mobile phone well suited to be a token container.
Read more »

Will NFC emerge ?

As others we are quite interested in the possibilities opened by the near field communication interface expected to be on a fair number of european smart phones by year 2011-2012. Our interest was initially sparked by questions asking us how the KerPass mobile transaction validation solution was related to the proximity payment systems based on the NFC technologies. As of today, there is no relation in between those two solutions except that both deal with personal transaction validation. Meanwhile in Japan and other advanced Asian countries real world point of sale payment system allow to use a mobile phone as a contactless payment card , the rest of the world is engaged in lengthy field pilot trials of payment/ticketing systems based on much the same technologies. In what follows we rapidly mention what capabilities NFC add to the ubiquituous smartphone, and mention our view that point of sale transaction validation maybe tackled as efficiently leveraging what mobile phones already have.
Read more »