Easy, Password-Free, Cryptographic Authentication for Web Applications

For years there has been consensus that passwords have to go. To the many reasons for not using password authentication, the European GDPR will add, when it goes into effect on May 25, stringent requirements to notify users and regulators when passwords are compromised, backed by substantial fines. And yet, passwords are still the dominant authentication technology for web applications. This is because the alternatives that have been proposed and tried so far are complicated and expensive to implement. But there is a simple alternative that you can implement yourself, if you are a web application developer: cryptographic authentication with a digital-signature key pair stored in the browser.

At last week’s Internet Identity Workshop (IIW) we showed how easy it is to implement this alternative. We gave a demo of a sample web application, exercising the user interface and looking at the code. The sample application was implemented in Node.js and used the Pomcor JavaScript cryptographic library (PJCL) on the client and server sides. The code of the sample application, which we will refer to as the demo code, can be found in the PJCL page of the Pomcor site (subsequently modified as explained below to accommodate Internet Explorer).

Continue reading “Easy, Password-Free, Cryptographic Authentication for Web Applications”

Second Release of PJCL Expands Functionality Following NIST Cryptographic Specifications

Today we have released version 0.9.1 of the Pomcor JavaScript Crytpographic Library (PJCL). The initial public release provided digital signature functionality, which we had been using internally for our own research on authentication and identity proofing. This release adds key agreement and key derivation functionality. The next release will provide symmetric and asymmetric encryption primitives, including AES and RSA. To be notified of future releases you may sign up for the user forum, subscribe to this blog, or follow me on Twitter (@fcorella).

PJCL can be used in any JavaScript environment, both client-side (e.g. in a browser) and server-side (e.g. under Node.js). It comes with extensive documentation on the functionality that it provides, which includes:

Continue reading “Second Release of PJCL Expands Functionality Following NIST Cryptographic Specifications”

Pomcor Releases JavaScript Cryptographic and Big Integer Library

We have just released a beta version of a JavaScript cryptographic library usable in any JavaScript environment and based on very fast big integer arithmetic functionality that may be of interest in its own right.

The Pomcor JavaScript Cryptographic Library (PJCL) is available free of charge for any kind of use, but not under a traditional open source license. The traditional open source paradigm encourages contributions by the developer community at large, but we believe that this paradigm is not well suited to cryptography. To protect the integrity of the cryptographic code, the license prohibits modification of the cryptographic functions.

We have been using the library internally for our own research on authentication and identity proofing, and this first release includes symmetric and asymmetric digital signature functionality, including HMAC, DSA, and ECDSA with NIST curves. Future releases will provide broader cryptographic functionality, including encryption and key exchange. We believe that the library provides the only available JavaScript implementation of DSA, which is important to those wary of the opportunities for hiding backdoors that might be provided by elliptic curve technology.

The underlying big integer functionality includes Karatsuba multiplication. Continue reading “Pomcor Releases JavaScript Cryptographic and Big Integer Library”

Faster Modular Exponentiation in JavaScript

Modular exponentiation is the algorithm whose performance determines the performance and practicality of many public key cryptosystems, including RSA, DH and DSA. We have recently achieved a manyfold improvement in the performance of modular exponentiation in JavaScript over the implementation of modular exponentiation in the Stanford JavaScript Crypto Library (SJCL). JavaScript was originally intended for performing simple tasks in web pages, but it has grown into a sophisticated general purpose programming language used for both client and server computing, which is arguably the most important programming language today. Good performance of public key cryptography is difficult to achieve in JavaScript, because JavaScript is an interpreted language inherently slower than a compiled language such as C, and provides floating point arithmetic but no integer arithmetic. But fast JavaScript public key cryptography is worth the effort, because it may radically change the way cryptography is used in web applications. Continue reading “Faster Modular Exponentiation in JavaScript”