Another entry in the internet security hall of shame....

Nick Owen nowen at wikidsystems.com
Mon Aug 29 17:51:39 EDT 2005 

I would appreciate your thoughts on WiKID.  We use asymmetric keys to
encrypt PINs and one-time passcodes between a client and the server. The
server talks to various network clients using protocols such as LDAP,
Radius, or using our own SSL-tunneled wAuth protocol.  We believe that
replacing passwords is the right economic model to fund PK deployment
widely to consumers.  The client can then be extended to provide
encryption for apps such as the credit card app described below.

We have just released version of WiKID under the GPL.  The GPL client
uses RSA encryption.  The non-GPL version uses Ntru, making it suitable
for wireless clients (RSA key gen on a java cell phone is a bitch).

We have set up http://www.wikidsystems.net as our open source home page
and https://sourceforge.net/projects/wikid-twofactor/ is the sourceforge
project page as well - which includes a white paper and documentation.
Comments and contributions are much appreciated.

tia,

Nick

Ian G wrote:
> Anne & Lynn Wheeler wrote:
> 
>> the major ISPs are already starting to provide a lot of security
>> software to their customers.
>>
>> a very straight forward one would be if they provided public key
>> software ... to (generate if necessary) and register a public key in
>> lieu of password ... and also support the PPP & radius option of having
>> digital signature authentication in lieu of password checking
>> http://www.garlic.com/~lynn/subpubkey.html#radius
> 
> 
> Right.  And do the primary authentication of the key
> using some other mechanism that is outside the strict
> crypto.
> 
> (IOW, Dave, your plan will work, as long as it is
> built from ground up with no prior baggage!  IMHO!)
> 
> This is such a no-brainer that when I first came
> across the solution over a decade ago now, I never
> gave a thought as to how it could be anything but
> the one way to do things.  It just works, and very
> little else works anywhere as well.
> 
> Yet, we are still grubbing around like cavemen in
> the mud.  And then there is this:
> 
> http://www.business2.com/b2/web/articles/print/0,17925,1096807,00.html
> 
> $5M  Mobile ID for Credit Card Purchases
> WHO: John Occhipinti, Woodside Fund, Redwood Shores, Calif.
> WHO HE IS: A former executive at Oracle and Netscape, Occhipinti is a
> managing director and security specialist, leading investments in
> BorderWare and Tacit.
> WHAT HE WANTS: Fraudproof credit card authorization via cell phones and
> PDAs.
> WHY IT'S SMART: Credit card fraud is more rampant than ever, and
> consumers aren't the only ones feeling the pain. Last year banks and
> merchants lost more than $2 billion to fraud. Most of that could be
> eliminated if they offered two-part authentication with credit and debit
> purchases -- something akin to using a SecureID code as well as a
> password to access e-mail. Occhipinti thinks the cell phone, packaged
> with the right software, presents an ideal solution. Imagine getting a
> text message on your phone from a merchant, prompting you for a password
> or code to approve the $100 purchase you just made on your home PC or at
> the mall. It's an extra step, but one that most consumers would be happy
> to take to safeguard their privacy. More important, Occhipinti says, big
> banks would pay dearly to be able to offer the service. "It's a killer
> app no one's touched yet," Occhipinti says, "but the technology's within
> reach."
> WHAT HE WANTS FROM YOU: A finished prototype application within eight
> months. "I'm looking for the best technologists in security and
> wireless, the top 2 percent in their industry," Occhipinti says. The
> team would need to be working with a handful of banks and merchants
> ready to start trials, in hopes of licensing the technology or selling
> the company.
> SEND YOUR PLAN TO: jco at woodsidefund.com
> 
> The funniest part of all is that even though we
> know how to do it in our sleep, Paypal actually
> built one as their "original offering" and threw
> it away...
> 
>> at that point your public key is now registered with your ISP ... and
>> possibly could be used for other things as well ... and scaffolding for
>> a certificateless trust infrastructure.
> 
> 
> Yup.  But this will only work if you go back to
> basics and build the structure naturally around
> the keys.  IOW, not using anything from PKI.
> 
>> lots & lots of past postings on SSL landscape
>> http://www.garlic.com/~lynn/subpubkey.html#sslcert
> 
> 
> Watching security thinking advance is like watching
> primates evolve from close distance.  Either we die
> of old age before anything happens, or we get clubbed
> to death...
> 
> iang
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
> 

-- 

Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list