I’m happy to report that we have found a way of bypassing the Firefox POST redirection bug discussed in the previous post, obviating the need for code changes to cope with the redirection replay by Firefox when the user clicks the back button. While waiting for the bug to be fixed, this will simplify the implementation of web apps that rely on POST redirection, including apps that use cryptographic authencation or federated login. We have revised again the sample web app demoed at the last IIW, this time to simplify it by taking advantage of the bug bypass.Continue reading “A Bypass of the Firefox POST Redirection Bug”
Updated May 13 as shown below.
At the last Internet Identity Workshop (IIW) we gave a demo of a sample web app that featured cryptographic authentication, and argued that implementing cryptographic authentication is easy. Later, in the blog post Easy, Password-Free, Cryptographic Authentication for Web Applications I discussed the code of the sample web app and said that cryptographic authentication provides a “simple alternative” to authentication with a password. The issues discussed in the post, however, were not simple! Since then we have had to revise the code of the demo several times to fix bugs and, in the process, we have come to realize that cryptographic authentication is not that easy after all. It does not take much code, but it requires a lot of attention to detail to avoid a variety of pitfalls.Continue reading “Cryptographic Authentication Is Not That Easy After All”
Pomcor has recently been granted US Patent 9,887,989 on a multifactor cryptographic authentication technique that uses a cryptographic key pair in conjunction with a password and/or a biometric key while protecting the password and biometric data against back-end security breaches. All our patents are available for licensing.
At the last Internet Identity Workshop we demonstrated single factor cryptographic authentication, not covered by the patent, where a key pair stored in browser local storage is used instead of a password for authentication to a web application. (A proof-of-concept implementation of a simple web app is available in the PJCL web page and described in the previous post.) Cryptographic authentication has huge advantages over password authentication, as passwords are vulnerable to back-end database breaches, phishing attacks, and password reuse at malicious or insecure sites. But when used in multifactor authentication, a password provides the unique benefit of being something that the user knows, independent of something that the user has (a device that contains a private key or is able to generate or receive one-time codes) and something that the user is (a biometric feature). Our latest patent discloses a novel multifactor authentication technique where a password can provide this benefit while being immune to the vulnerabilities of conventionally used passwords.Continue reading “Pomcor Granted Patent on Multifactor Cryptographic Authentication”
Update (May 11). The demo code mentioned below has been updated to fix bugs. If you find any additional bugs please report them through the contact form or by posting to the PJCL forum. The date of the latest update will be shown in the PJCL page. Please see also the blog post Cryptographic Authentication Is Not That Easy After All.
For years there has been consensus that passwords have to go. To the many reasons for not using password authentication, the European GDPR will add, when it goes into effect on May 25, stringent requirements to notify users and regulators when passwords are compromised, backed by substantial fines. And yet, passwords are still the dominant authentication technology for web applications. This is because the alternatives that have been proposed and tried so far are complicated and expensive to implement. But there is a simple alternative that you can implement yourself, if you are a web application developer: cryptographic authentication with a digital-signature key pair stored in the browser.
This blog post is a companion to a presentation made at the 2017 International Cryptographic Module Conference and refers to the presentation slides, revised after the conference. Karen Lewison is a co-author of the presentation and of this blog post.
Slide 2: Key storage in web clients
Most Web applications today use TLS, thus relying on cryptography to provide a secure channel between client and server, and to authenticate the server to the client by means of a cryptographic credential, consisting of a TLS server certificate and its associated private key. But other uses of cryptography by Web applications are still rare. Client authentication still relies primarily on traditional username-and-password, one-time passwords, proof of possession of a mobile phone, biometrics, or combinations of two or more of such authentication factors. Web payments still rely on a credit card number being considered a secret. Encrypted messaging is on the rise, but is not Web-based.
A major obstacle to broader use of cryptography by Web applications is the problem of where to store cryptographic keys on the client side. Continue reading “Storing Cryptographic Keys in Persistent Browser Storage”
In a press release, MasterCard announced yesterday an EMV payment card that features a fingerprint reader. The release said that two trials have been recently concluded in South Africa and, after additional trials, a full roll out is expected this year.
In the United States, EMV chip cards are used without a PIN. The fingerprint reader is no doubt intended to fill that security gap. But any use of biometrics raises privacy concerns. Perhaps to address such concerns, the press release stated that a fingerprint template stored in the card is “encrypted”.
That’s puzzling. If the template is encrypted, what key is used to decrypt it before use?Continue reading “What kind of “encrypted fingerprint template” is used by MasterCard?”
NIST is working on the third revision of SP 800-63, which used to be called the Electronic Authentication Guideline and has now been renamed the Digital Identity Guidelines. An important change in the current draft of the third revision is a much expanded scope for biometrics. The following are comments by Pomcor on that aspect of the new guidelines, and more specifically on Section 5.2.3 of Part B, which we have sent to NIST in response to a call for public comments.
The draft is right in recommending the use of presentation attack detection (PAD). We think it should go farther and make PAD a mandatory requirement right away, without waiting for a future edition as stated in a note.
But the draft only considers PAD performed at the sensor. Continue reading “Comments on the Recommended Use of Biometrics in the New Digital Identity Guidelines, NIST SP 800-63-3”