Meet us at e-Smart 2008

KerPass will make a presentation at e-Smart conference on the 18th of September 2008. We will present advanced solutions for delivering reliable software tokens on networked devices.

Defeating the “Man in the Middle”, mobile SignCode to the rescue.

Right from the inception of the KerPass system, we considered “transaction validation” to be part of our roadmap. We took some time to develop a portable digital signature system based on elliptic curve cryptography and proposed additionally to it something we call “Password signature” which is a digital signature that you can use like a password. Continue reading →

Google apps will be protected by Arcot software smartcard

We are following carefully what is going on on this side for obvious reason, so the news that Arcot technology was selected to optionally deliver strong authentication to business customers accessing google apps is certainly something to watch.
Continue reading →

New KerPass API on line

We took quite a while to come here, but the new API is finally operational :
Time synchronous one time password and ECDSA digital signatures can be used in the context of any web application, after installing KerPass onto end user mobile phone.

• The demo as usual allows an efficient hand on introduction to the complete system
• At https://realm.kerpass.com/ you find a web application for creating and administering security realm to support your own applications
• The url https://api.kerpass.com/ provide full access to the api.
• All KerPass documentation can be found here.

Don’t hesitate to contact us to obtain the necessary applications to install onto end user mobile phone.

GateKeeper, open source site opened …

A new site has been opened which allow to support the GateKeeper development effort.

GateKeeper is an authentication bar that operates from the Firefox browser chrome area (no access to remote scripts…) and that allows password authentication using the SRP algorithm. This renders password authentication insensitive to Phishing or other MITM attacks.

Additionally the GateKeeper bar collaborates with a relevant authentication portal to authenticate the website into which user is about to enter (runtime certification…)

Sites that use GateKeeper authentication are completely immune to Phishing or other MITM attacks. GateKeeper can use static password or KerPass OATH one time password, this last combination providing optimal resistance against brute force, spyware and MITM.

One time password (Event or Time Synchronous …)

Search queries as tracted by this blog statistic system have shown us that quite a few people have ended here in search of information on which of this 2 one time password system was the best if any. We believe than when applicable , time synchronous one time password delivers more security than event synchronous. Following are some explanations on where the added value is coming from.

Continue reading →

Why in browser single sign on matters ?

As those days , it happens that we visit frequently the topic of in browser single sign on , we think interesting to clarify why we see value in such technology. The two main benefits that single sign on can deliver are :

• Help maintaining diversity of the web ecosystem
• Ease securing web applications

Maintaining biodiversity in the web ecosystem :

The lake of easy registration/sign on accross the large number of applications that are currently being maintained on the web , renders difficult the emergence of second movers.
Continue reading →

Introducing GateKeeper , in browser single sign on extension

We think interesting to share with the community a development on which the KerPass engineers are currently working. The shot above shows the GUI part (xul widget) of the extension that shows in the browser at time an authentication request has been received. The extension allows relying website to require end user to authenticate at authentication portails that the relying site trusts for this purpose. GateKeeper is the much needed missing part for in browser single sign on to happen reliably on the web.
Continue reading →

Universal security token , pictures …

Some pictures of the coming soon mobile universal security token together with related user stories. For our fellow mobile application developers , during development we try to test on real devices as early as possible and we use for this a low end device. This allow being more efficient in adressing real world issues , as simulators are generally not matching well real device performances.
Phone display photographing is a pain , fortunatly we found a helpfull girl who knows …

First start :

As the token requires network access , we first check that the device connection has been correctly parametrized. We found good inspiration by looking to Opera mini for this. If only mobile operators were trying to help here by documenting clearly the settings for their APN on a per device basis.

Continue reading →

InfoCard/CardSpace getting the big picture …

Recent posts on this blog suggest our interest in “open” in browser single sign on systems. As a result we have been discussing briefly perceived strengths and weaknesses of yahoo BBAuth and emerging OpenId standards. Regarding OpenId , it has appeared to us that the enthousiasm of the community is unfortunatly not backed by sufficient technology to make the system applicable in the context of the wild open Internet. The recent announcement that CardSpace and OpenId are engaging into a mariage allow microsoft to capitalize on the buzz created by OpenId. We now see OpenId as a void shell (a remarkable online marketing success though …) , the stringent question that remains to be addressed is what is the value of this CardSpace stuff ?
Continue reading →