Two-factor authentication with a fusion credential, demonstrated in
repository, overcomes the UX obstacles that are impeding large
scale adoption of cryptographic authentication, by making it possible
to add protection against man-in-the-middle phishing attacks,
password reuse and backend breaches to a site where users
authenticate with email and password, while keeping the same user
experience, including the ability to log in on any browser, in any
But two-factor credential fusion makes use of an invention
protected by a patent, and cryptography-related patents have
historically delayed adoption of new technologies. To
overcome this additional obstacle to the adoption of cryptographic
authentication, I have now introduced a streamlined process for
licensing the patent, which may be of independent interest.
The process uses a “DocuSign
envelope”, which is a type of workflow document that DocuSign
routes by email to participants in a business process. The
document is first routed to the patent holder, who applies a
“DocuSign eSignature” to a license offer. It is then routed to
the client, who adds a “DocuSign eSignature” accepting the offer
and pays the license fee. It is finally routed back to the patent
holder, who adds a “DocuSign eSignature” granting the license,
after receiving the license fee. The completed document with all three eSignatures is sent by email
to the parties, and kept by DocuSign in its own storage where it
is available as evidence that the license has been
Details of the process and examples of completed documents are
I’m happy to announce that Ken Cone has agreed to join Pomcor as CFO.
Ken is a highly experienced CPA and financial adviser who has provided business and tax advice in a variety of industries. He knows Pomcor well, having provided us with accounting expertise and tax preparation services for several years. I view his joining Pomcor as an executive as a vote of confidence in the future of the company, which I appreciate.
Experience with government contracting in the defense industry
It also makes me happy that Ken is familiar with government contracting, and more specifically, government contracting in the defense industry. Most of our research over the last decade, and research that we are conducting right now, is concerned with identity and authentication protocols. Identity is an essential element of cybersecurity, which in the current threat environment cybersecurity is an essential element of national and economic security, as recognized in the President’s Executive Order 14028. We have received government funding for our research in the past, and we may apply for funding in the future to continue our research on identity. Ken’s expertise and experience with government contracting will help us apply for and manage such funding.
Karen Lewison, CEO of Pomcor, has passed away after fighting cancer for almost two years. Karen and I used different names, but we were married and I loved her deeply.
Karen was a physician, but after co-founding Pomcor, and later taking over as CEO, she pivoted into hi tech. She managed government grants, conducted research, wrote code, and was a coinventor of several US patents granted to Pomcor. In particular, she was the lead inventor of the recently granted US patent 10,576,377, which introduces the concept of rich credentials. She was also the lead inventor of a patent application that discloses a method of operating a certificate authority on a blockchain or distributed ledger. The very same day that she passed away a USPTO examiner called and “allowed” that application, which means that a patent will be granted on the application in due course. I was able to communicate the news to Karen.
Karen’s cancer was diagnosed at a very late stage of the disease, where patients are expected to give up. Instead she chose to fight, and won several battles against complications of the disease, achieving spectacular recoveries after being on the brink of death. Throughout her fierce war against cancer she remained engaged in our research. We filed joint patent applications on several new inventions and coauthored a paper and several blog posts.
I plan to continue on my own the work that Karen and I were doing together, in honor of her memory and inspired by her courage. Pomcor will go on.
This is Part 2 of a series of posts reviewing the
received by NIST on
for Derived Personal Identity Verification (PIV) Credentials,
their disposition, and the
of the document. Links to all the posts in the series can be found
post of this series I discussed how
NIST failed to address many concerns expressed in the
that it received on the guidelines for derived credentials
published in March of last year as
Special Publication (SP) 800-157, including concerns about
insufficient discussion of business need, lack of guidance, narrow
scope, lack of attention to embedded solutions, and security issues.
But I postponed a discussion of what I think is the most critical
security problem in SP800-157: the lack of security of the
so-called software tokens, a concern that was raised in
comments including 111 by the Treasury, 291, 311 and 318 by ICAMSC,
406 by PrimeKey AB, 413 by NSA, and 424 by Exponent. This post
focuses on that problem.
The concept of a software token, or software cryptographic
module is defined in
NISTIR 7981 (Section 3.2.1) as follows:
Rather than using specialized hardware to store and use PIV keys, this
approach stores the keys in flash memory on the mobile device
protected by a PIN or password. Authentication operations are done in
software provided by the application accessing the IT system, or the
What does it mean for the keys to be “protected by a PIN or password“?
Continue reading “NIST Omits Encryption Requirement for Derived Credentials”
This is the first of a series of posts reviewing the comments received
by NIST on Draft SP800-157, their disposition, and the final version
of the document. Links to all the posts in the series can be found
In March 2014, NIST released the drafts of two documents on derived credentials,
NISTIR 7981 and
SP800-157, and requested comments. Last month it
that it had received more than 400 comments and released a
with comments and their dispositions.
The file is hard to read, because it contains snippets of comments
rather than entire comments (and snippets of comments by the same
organization are not always consecutive!). But we have made the
effort to read it, and the effort was worth it. The file contains
snippets from companies, individuals, industry organizations, and many
US Federal government organizations, including the Consumer Financial
Protection Bureau (CFPB), the Coast Guard, the Department of Justice
(DOJ), the Department of the Treasury, the Department of Agriculture
Mobility Program Management Office (USDA MPO), the Department of State
(DOS) the Social Security Administration (SSA), the National
Aeronautics and Space Administration (NASA), the Department of
Homeland Security (DHS), the Air Force Public Key Infrastructure
System Program Office (AF PKI SPO), the Identity, Credential, and
Access Management Subcommittee (ICAMSC), the Centers for Disease
Control and Prevention (CDC), the Federal Public Key Infrastructure
Certificate Policy Working Group (FPKI CPWG) and the Information
Assurance Directorate of the National Security Agency (NSA). Continue reading “NIST Fails to Address Concerns on Derived Credentials”
Last week I made a presentation to the
GlobalPlatform 2014 TEE
Conference, co-authored with Karen Lewison, on how to
provide virtual tamper resistance for derived credentials and
other data stored in a Trusted Execution Environment (TEE). I’ve put
the slides online as an
PowerPoint presentation with speaker notes.
, also available on the
, summarized the presentation. In this post I want to go over
a technique for implementing virtual tamper resistance that we have
not discussed before. The technique is illustrated with animation in
slides 9 and 10. The speaker notes explain the animation steps.
Virtual tamper resistance is achieved by storing data in a device,
encrypted under a data protection key that is entrusted to a key
storage service and retrieved from the service after the device
authenticates to the service using a device authentication credential,
which is regenerated from a protocredential and a PIN. (Some other
secret or combination of secrets not stored in the device can be used
instead of a PIN, including biometric samples or outputs of physical
unclonable functions.) The data protection key is called “credential
encryption key” in the presentation, which focuses on the protection
of derived credentials. The gist of the technique is that all PINs
produce well-formed device authentication credentials, Continue reading “Implementing Virtual Tamper Resistance without a Secure Channel”
This post has also been published on the
blog of the GlobalPlatform TEE Conference.
Smart cards and mobile devices can both be used to carry cryptographic
credentials. Smart cards are time-tested vehicles, which provide the
benefits of low cost and widely deployed infrastructures. Mobile
devices, on the other hand, are emerging vehicles that promise new
benefits such as built-in network connections, a built-in user
interface, and the rich functionality provided by mobile apps.
It is tempting to predict that mobile devices will replace smart
cards, but this will not happen in the foreseeable future. Mobile
devices are best used to carry credentials that are derived
from primary credentials stored in a smart card. Each user may choose
to carry derived credentials on zero, one or multiple devices in
addition to the primary credentials in a smart card, and may obtain
derived credentials for new devices as needed. The derived
credentials in each mobile device are functionally equivalent to the
primary credentials, and are installed into the device by a device
registration process that does not need to duplicate the user proofing
performed for the issuance of the primary credentials.
The term derived credentials was coined by NIST in connection
with credentials carried by US federal employees in Personal Identity
Verification (PIV) cards and US military personnel in Common Access
Cards (CAC); but the concept is broadly applicable. Derived
credentials can be used for a variety of purposes, Continue reading “Smart Cards, TEEs and Derived Credentials”
I’m happy to announce that I’ll be making a presentation at the forthcoming
GlobalPlatform 2014 TEE
Conference (September 29-30, Santa Clara, CA). Here are the title
Virtual Tamper Resistance for a TEE
Derived credentials are cryptographic credentials carried in a mobile
device that are derived from credentials carried in a smartcard. The
term was coined by the US National Institute of Standards and
Technology (NIST) in connection with US Federal employee credentials,
but the concept is generally applicable to use cases encompassing
high-security enterprise IDs, payment cards, national identity cards,
driver licenses, etc.
The Trusted User Interface feature of a TEE can protect the passcode
that activates derived credentials from being phished or intercepted
by malware, the user being instructed to only enter the passcode when
a Security Indicator shows that the touchscreen is controlled by the
Secure OS of the TEE. Besides protecting the passcode, it is also
necessary to protect the derived credentials themselves from an
adversary who physically captures the device. This requires
resistance against tampering. Physical tamper resistance can be
provided by a Secure Element accessed from the TEE through the TEE
Secure Element API, thus combining protection of the passcode against
malware with protection of the credentials against physical capture.
Derived credentials can also be protected against physical capture
using cloud-based virtual tamper resistance, which is achieved by
encrypting them with a key stored in a secure back-end. The device
uses a separate credential derived in part from the activation
passcode to authenticate to the back-end and retrieve the encryption
key. A novel technique makes it possible to do so without exposing
the passcode to an offline guessing attack, so that a short numeric
passcode is sufficient to provide strong security.
Physical tamper resistance and virtual tamper resistance have
overlapping but distinct security postures, and can be combined, if
desired, to maximize security.
Cryptography is an essential tool for addressing the privacy and
security issues faced by the Web and the Internet of Things. Sadly,
however, there is a chronic technology transfer failure that causes
important cryptographic techniques to be underutilized.
An example of an underutilized technique is Identity-Based
Cryptography. It is
used for secure
email, although not broadly. But, to my knowledge, it has never
been used to implement secure channel protocols, even though it has
the potential to provide great practical advantages over traditional
public key infrastructure if put to such usage. We pointed this out
white paper on TLS.
Now we have also shown the benefits of identity-based cryptography for
machine-to-machine communications, in
a new paper that we will
present at the Workshop on Security and Privacy in Machine-to-Machine
Communications (M2MSec, San
Francisco, October 29, 2014). Machine-to-machine communications fall
into many different use cases with very different requirements. So,
instead of proposing one particular technique, we propose in the paper
four different protocol design patterns that could be used to
specify a variety of different protocols.
Update (August 4). I should point out that there is a proposal
to use Identity-Based authenticated key exchange in conjunction with
MIKEY (Multimedia Internet KEYing), a key management scheme for SRTP
(Secure Real-Time Transport Protocol), which itself is used to provide
security for audio and video conferencing on the Internet. The
proposed authenticated key exchange protocol is called MIKEY-IBAKE and
is described in RFC
6267. This is an informational RFC rather than a standards-track
RFC, so it’s not clear if the proposed authenticated key exchange
method will be eventually deployed. Interestingly, MIKEY-IBAKE uses
identity-based encryption rather than identity-based key agreement.
This is also what we do in the M2MSec paper, but with a difference.
MIKEY-IBAKE uses identity-based encryption to carry ephemeral Elliptic
Curve Diffie-Hellman parameters, and thus does not reduce the number
of roundtrips. We use identity-based encryption to send a secret from
the initiator to the responder, and we eliminate roundtrips by
simultaneously sending application data protected with encryption and
authentication keys derived from the secret. This gives up replay
protection and forward secrecy for the first message; but replay
protection, as well as forward secrecy in two of the four patterns,
are provided from the second message onward.
I’ve been so busy that I haven’t had time to write for more than three
months, which is a pity because things have been happening and there
is much to report. I’m trying to catch up today.
The first thing to report is that Prof. Gopalakrishnan of the
University of Utah invited Karen Lewison and myself to give a joint
talk at the University, on May 29. We talked about the need to
discussed earlier on this blog. The
slides can be found
at the usual location for papers and presentations at the bottom of
each page of this web site.
The University of Utah has a
renowned School of Computing and
it was quite stimulating to meet with faculty and discuss research
after the talk. We were happy to discover common research interests,
and we have been exploring the possibility of doing joint research
work with Profs.
Denning; we are thrilled that the prospects look promising.
Other things to report include that we had papers accepted at the
forthcoming M2MSec workshop and the forthcoming GlobalPlatform TEE
conference. I will report on that in the next two posts.