HTTPS mutual authentication alpha release - please test

Nick Owen nowen at wikidsystems.com
Mon Oct 31 09:49:57 EST 2005 

Happy Halloween! In what we hope will be a Halloween tradition, we have
new release available for testing. WiKID is pleased to announce the
alpha release of a major upgrade under the GPL featuring a cryptographic
method of mutual authentication for HTTPS:

WiKID-2.1: SOMETHING_WiKID_THIS_WAY_COMES

The token client is available at sourceforge:
http://prdownloads.sourceforge.net/wikid-twofactor/WiKID_Token_Client-2.1-prerelease.zip?download

The system works this way: Each WiKID domain now can include a
'registered URL' field and a hash that website's SSL certificate.  When
a user wants to log onto a secure web site, they start the WiKID token
and enter their PIN. The PIN is encrypted and sent to the WiKID server
along with a one-time use AES key and the registered URL.  The server
responds with a hash of the website's SSL certificate.  The token client
fetches the SSL certificate of the website and compares it the hash.  If
the hashes don't match, the user gets an error.  If they match, the user
is presented with registered URL and the passcode.  On supported
systems, the token client will launch the default browser to the
registered URL.

We are currently seeking testers for this early release.  You do not
need to set up a WiKID server to test. We have set up a WiKID server for
you.  Testers will need to download the latest J2SE WiKID token from
sourceforge.  Testing information can be found here:

https://sourceforge.net/forum/forum.php?thread_id=1376617&forum_id=484250

Most one-time-password systems suffer from man-in-the-middle attacks
primarily due to difficulties users have with validating SSL
certificates. The goal of this release is to validate certificates for
the end user, providing an SSH-esque security for web-enabled
applications such as online banking.

Any feedback is much appreciated.

Sincerely,

Nick
-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
Now open source: http://sourceforge.net/projects/wikid-twofactor/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list