Pomcor — Research on Web and Mobile Technology

Pomcor conducts research on Web and mobile technology, currently focusing on applications of cryptography and biometrics to internet identity and network security.

Internet identity is a hot area of research at the confluence of new developments in technology and cybersecurity. Technology is evolving rapidly as mobile phones with digital wallets take over more and more functions previously performed in the physical world; the realization that traditional 2FA is not phishing resistant is stimulating the development of cryptographic methods for authentication, identification and online transaction confirmation; and cryptographic modules have become generally available on the web in the form of platform and roaming authenticators.

At the recent Internet Identity Workshop (IIW XXXV) we convened sessions to discuss innovative uses of FIDO authenticators, in conjunction with service workers, for online payment confirmation and identification with a variety of third-party cryptographic credentials.

We have invented a method of securing online credit-card payments with multifactor frictionless cryptographic cardholder authentication and been granted a patent family on the invention.

The latest version of the TLS protocol, TLS 1.3, has discontinued the use of a static RSA key for key exchange, leaving only key exchange primitives that provide forward secrecy but make it impossible to inspect TLS traffic in the intranet by the traditional method of provisioning a middlebox with a static RSA key. We have proposed several visibility solutions to this problem.

TLS 1.3 allows the client to send traffic, known as “early data” or “0-RTT data”, before the ServerHello message. We have shown how this feature can be used by an attacker as an encrypted steganographic channel, and how two of our visibility solutions can mitigate this risk.

As part of a research project funded by DHS on remote identity proofing we have invented the concept of a rich credential, which allows a subject to submit three kinds of verification factors (something that the subject has, something that the subject knows and something that the subject “is”) to a remote verifier with whom the subject has no prior relationship, with selective disclosure of attributes and selective presentation of verification factors. We have been granted a patent on this invention.

As part of the same DHS-funded project, we have invented a method of operating a certificate authority on a blockchain or other distributed ledger that obviates the need to distribute signed Certificate Revocation Lists (CRLs) or operate an Online Certificate Status Protocol (OCSP) server for certificate revocation checking, and have also been granted a patent on that invention.

We have released a beta test version of the Pomcor JavaScript Cryptographic Library (PJCL), which can be downloaded from the PJCL page. An initial public release provided digital signature functionality. A second release has added key agreement and key derivation. Additional functionality including encryption will be provided in forthcoming releases. We have also published a proof-of-concept Node.js application that shows how a full-stack web developer can implement cryptographic authentication using PJCL to provide cryptographic functionality both on the client side and the server side. The Node.js application can be downloaded from the cryptographic authentication page. The PJCl page and the cryptographic authentication page are reachable from the Developers tab of the site menu. Work on PJCL and the proof-of-concept Node.js application had to be put on hold during Karen Lewison’s fight with cancer with Francisco Corella as caregiver, but will resume.

We discuss our research on our blog and in technical reports and presentations, which can be found below. Older materials can be found in the archive.

Pomcor is a graduate of the San Diego CONNECT Springboard program. We are currently based in Sacramento. You can find out more about us in the company page.