For years there has been consensus that passwords have to go. To
the many reasons for not using password authentication, the European
GDPR will add, when it goes into effect on May 25, stringent
requirements to notify users and regulators when passwords are
compromised, backed by substantial fines. And yet, passwords are
still the dominant authentication technology for web
applications. This is because the alternatives that have been proposed
and tried so far are complicated and expensive to implement. But there
is a simple alternative that you can implement yourself, if you are a
web application developer: cryptographic authentication with a
digital-signature key pair stored in the browser.
At last week’s Internet Identity
Workshop (IIW) we showed how easy it is to implement this
alternative. We gave a demo of a sample web application, exercising
the user interface and looking at the code. The sample application was
library (PJCL) on the client and server sides. The code of the sample
application, which we will refer to as the demo code, can be found in
the PJCL page of the Pomcor site (subsequently
modified as explained below to accommodate Internet Explorer).
Continue reading “Easy, Password-Free, Cryptographic Authentication for Web Applications”
Crytpographic Library (PJCL).
initial public release
provided digital signature functionality,
which we had been using internally for our own research
on authentication and identity proofing.
This release adds key agreement
and key derivation functionality. The next release will provide
symmetric and asymmetric encryption primitives, including
AES and RSA. To be notified of future releases you may sign up for the
user forum, subscribe
to this blog, or follow me on Twitter (@fcorella).
and server-side (e.g. under Node.js). It comes with
on the functionality that it provides, which includes:
Continue reading “Second Release of PJCL Expands Functionality Following NIST Cryptographic Specifications”
environment and based on very fast big integer arithmetic functionality that may be of interest in
its own right.
is available free of charge for any kind of
use, but not under a traditional open source license. The traditional open source paradigm
encourages contributions by the developer community at large, but we believe that this
paradigm is not well suited to cryptography. To protect the integrity of the cryptographic code, the
prohibits modification of the cryptographic functions.
We have been using the library internally for our own research on authentication and identity
proofing, and this first release includes symmetric and asymmetric digital signature functionality,
including HMAC, DSA, and ECDSA with NIST curves. Future releases will provide broader cryptographic
functionality, including encryption and key exchange. We believe that the library provides the
opportunities for hiding backdoors that might be provided by elliptic curve technology.
Modular exponentiation is the algorithm whose performance determines
the performance and practicality of many public key cryptosystems,
including RSA, DH and DSA. We have recently achieved a manyfold
over the implementation of modular exponentiation in the Stanford
for performing simple tasks in web pages, but it has grown into a
sophisticated general purpose programming language used for both
client and server computing, which is arguably the most important
programming language today. Good performance of public key
is an interpreted language inherently slower than a compiled language
such as C, and provides floating point arithmetic but no integer
effort, because it may radically change the way cryptography is used