Pomcor conducts research on Web and mobile technology, currently focusing on innovations in user authentication and network security that provide defenses against cyberattacks and online fraud.
We have invented a method of securing online credit-card payments with two-factor frictionless cryptographic cardholder authentication and been granted a patent on the invention.
The latest version of the TLS protocol, TLS 1.3, has discontinued the use of a static RSA key for key exchange, leaving only key exchange primitives that provide forward secrecy but make it impossible to inspect TLS traffic in the intranet by the traditional method of provisioning a middlebox with a static RSA key. We have proposed several visibility solutions to this problem.
TLS 1.3 allows the client to send traffic, known as “early data” or “0-RTT data”, before the ServerHello message. We have shown how this feature can be used by an attacker as an encrypted steganographic channel, and how two of our visibility solutions can mitigate this risk.
As part of a research project funded by DHS on remote identity proofing we have invented the concept of a rich credential, which allows a subject to submit three kinds of verification factors (something that the subject has, something that the subject knows and something that the subject “is”) to a remote verifier with whom the subject has no prior relationship, with selective disclosure of attributes and selective presentation of verification factors. We have been granted a patent on this invention.
As part of the same DHS-funded project, we have invented a method of operating a certificate authority on a blockchain or other distributed ledger that obviates the need to distribute signed Certificate Revocation Lists (CRLs) or operate an Online Certificate Status Protocol (OCSP) server for certificate revocation checking, and have also been granted a patent on that invention.