Professional Documents
Culture Documents
CertiVox SkyPin White Paper
CertiVox SkyPin White Paper
CertiVox SkyPin White Paper
SkyPin:
ECC, in-browser, SSO, multi-factor authentification as a service for web, apps and mobile
Identity-based authenticated key agreement SkyPin operations SkyPin in operation in the browser client-server setting SkyPin security considerations
Why using SkyPin is more secure that traditional One-Time Password (OTP) hardware tokens 7 Code Patents 7 7
Welcome to SkyPin
SkyPin is a patented and patents-pending multi-factor authenticated key agreement protocol based on elliptic curve bilinear pairing cryptography. It was developed by CertiVox from the initial research and publication of Dr. Michael Scott in 2002 and updated in a new cryptographic research paper also available on the CertiVox Labs website. Dr. Scott is the Chief Cryptographer at CertiVox, and the head of the CertiVox Labs research team in Dublin, Ireland. The underlying protocol has been extensively peer reviewed over the last decade and no known practical flaws or attacks against it are presently known. The SkyPin Multi-Factor Authentication as a Service offering from CertiVox leverages the deployment model and distribution paradigm of the APS Authentication Protocol. The APS Authentication Protocol is a method of encapsulating identity information into an encrypted token in JSON format (based upon the IETF JOSE standard), which is uniquely encrypted for consuming relying party applications. The specification was jointly developed between Parallels and CertiVox, and is used by both the Parallels SSO server (available in PA 5.5) and the SkyPin managed service to issue identity information to a relying party post successful authentication. The main difference between protocols like Oauth and the APS Authentication Protocol is the addition of strong cryptography which includes encryption and digital signatures - to secure the identity assertions between identity providers and relying parties. Additionally, the APS Authentication Protocol is lightweight; it is truly a one-pass protocol, and requires no complex user re-directs or bandwidth intensive workflows. The APS Authentication Protocol is outside the scope of this white paper, but the reader is encouraged to find out more by downloading the APS Authentication Protocol white paper on the CertiVox Labs website and on the APS Organisation website at http://apsstandard.org/ SkyPin inherently includes techniques that support a multi-factor authentication, whereby the user authenticates via a cryptographically strong secret, associated with their identity, and issued by the Trusted Authority (TA) inside of the SkyPin Multi-Factor Authentication as a Service. The uniqueness of the protocol comes through the employment of the secret in an authenticated key agreement protocol, as the secret is divided between a conceptual physical (or virtual) token and a memorized PIN number, and (optionally) a biometric or other measurement, providing true multi-factor authentication. Further, the SkyPin authentication services are not required to store any information derived from the users secrets or PINs, so there is no equivalent of a vulnerable password file stored on the SkyPin cloud service. In fact, neither the PIN nor a biometric should be stored anywhere (other than in the users memory or as part of the users body respectively). The property of Perfect Forward Secrecy, a requirement for clients concerned about long-term privacy, is also supported. Lastly, because the solution is built on top of the MIRACL library and benefits from CertiVoxs expertise of building protocols for low
T: +44 (0)20 3191 8294 | E: info@certivox.com | www.certivox.com | 81 Rivington Street, London, UK, EC2A 3AY. Registered in England & Wales 7017635
T: +44 (0)20 3191 8294 | E: info@certivox.com | www.certivox.com | 81 Rivington Street, London, UK, EC2A 3AY. Registered in England & Wales 7017635
The gold standard, open-source, elliptic curve crypto SDK for embedded, mobile and apps
It sounds improbable; two parties trade big numbers over an insecure channel and the two parties can figure out what the right key is without sending it, or any hints about it, over the insecure channel. If an eavesdropper is listening in, they have no way of reconstructing the agreed session key. This protocol is not just a theoretical construct; you use it every day when you browse to a secured web page, as it is a critical ingredient in the HTTPS protocol. Exponential key exchange protocols in and of themselves do not specify any prior agreement or subsequent authentication between the participants. Hence, Diffie-Hellman on its own is often referred to as an anonymous key agreement protocol. The issue with anonymous key agreement protocols is that they provide no authentication of the other party, making it vulnerable to a man-in-the-middle attack. An attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. A successful attacker will be able to intercept all messages going between the two victims and inject new ones, defeating the purpose of the key-agreement protocol. Hence, the concept of authenticating the other party becomes critically important from a security standpoint when conducting a key agreement protocol session.
T: +44 (0)20 3191 8294 | E: info@certivox.com | www.certivox.com | 81 Rivington Street, London, UK, EC2A 3AY. Registered in England & Wales 7017635
SkyPin operations
The following section describes the most commonly deployed method of SkyPinTM; whereby a third party website, deploy SkyPinTM as the front of house authentication solution to their users by embedding the PIN PAD into an iframe on their website and web service to web service communication is secured using the APS Authentication Protocol. Other scenarios, such as using SkyPin inside of a native application (mobile or desktop) can be supported with the SkyPin SDKs for those various platforms. Those operations, while distinct, are not sufficiently different from the workflows described below, and will be documented in the SDKs for native and mobile OS as they are made available for those platforms. The SkyPin service takes advantage of the deployment model and distribution paradigm of the APS Authentication Protocol, as the SkyPin service is an Identity Provider (IDP). SkyPin has unique properties that support multi-factor authentication in a client to server setting; that is, the client authenticates via a protocol that utilizes a cryptographically strong secret, associated with their identity. Note that the users strong secret is not presented as proof of identity; the users strong secret is used in an authenticated key agreement protocol. The strong secret, when initialized by the user, is further divided into a mathematical token (which can be stored insecurely) and a memorized PIN number, and could include a biometric measurement as well to provide a third factor of authentication. If this reads like a familiar every day operation, it should. As stated previously, the real world analogue is an ATM network debit card, where the mathematical token is in your ATM card (actually on the magnetic stripe). To initialize the ATM debit card, you decided on your 4-digit PIN at your local bank branch.
THE US
R THENTICATIO E AU N
vince.noir@gmail.com
THE A
User Identity Cross Infrastructure Boundaries IEEE and IETF Standards Based One-pass Protocol Maximum Security
ATION LIC PP
1 4 7
2 5 8 0
3 6 9
SE
RVIC
E PR
VI O
T: +44 (0)20 3191 8294 | E: info@certivox.com | www.certivox.com | 81 Rivington Street, London, UK, EC2A 3AY. Registered in England & Wales 7017635
ER
D
AT I
ON
AU
EN
TH
TIC
AT I O N
AUTHE
NT
IC
TH
T: +44 (0)20 3191 8294 | E: info@certivox.com | www.certivox.com | 81 Rivington Street, London, UK, EC2A 3AY. Registered in England & Wales 7017635
Why using SkyPin is more secure that traditional One-Time Password (OTP) hardware tokens
Employing an OTP hardware token during a simple 1-way authentication with the presence of a MITM or MITB is like showing your ID (passport, fingerprints) to a fake police officer. In fact, the user is strongly authenticated but to the wrong person because the incoming and outgoing data channels can be controlled by the hacker. For example, when a user attempts to log into a bank website with a username, password and an OTP, the hacker can spoof the IP address of the end-user to fool the bank, he can perform sniffing to know whatever is sent to the end-user, he can redirect the traffic of the user to fake sites that
T: +44 (0)20 3191 8294 | E: info@certivox.com | www.certivox.com | 81 Rivington Street, London, UK, EC2A 3AY. Registered in England & Wales 7017635
Code
The cryptography described herein is powered by MIRACL, an open-source cryptographic library available for download at www.certivox.com. If you require a commercial license outside of the scope of the AGPL license, please contact sales@certivox. com.
Patents
SkyPin utilizes a number of patent-pending and patented technologies of which CertiVox is the exclusive licensee; EP Patent No. 1 730 88 (EP Application No. 05718824.5) granted by the European Patent Office on 13th October 2010 for Verification of Identity Based Signatories and US Patent No. 7,860,247 granted on December 28th 2010 for Identity Based Encryption.
T: +44 (0)20 3191 8294 | E: info@certivox.com | www.certivox.com | 81 Rivington Street, London, UK, EC2A 3AY. Registered in England & Wales 7017635