Internet has opened a new way to conduct business and changed our shopping behaviors. More and more businesses are moving to the on-line media for transactions and payments. Consumer banking, applications i.e. e-trade, Google, PayPal, health industries, document management, etc. are all using Internet.
With the coming of opportunities, there are also new threats from the “Bad Guys” who are looking for the opportunities to capture users’ identities and use them for their own benefits. Phishing, session hijacking, man in the middle attack and others put shadows and also challenge the reliabilities and availability of the online business.
A solution is written very clearly on the board: “We must enhance the security, in particular, the user authentication”. The aim of it is to bring back the huge potentials of the online business and improve the trust and reliability of on-line services. As for today, in some countries, it is already mandatory to use two-factor authentication in the finance sectors. In USA, two-factor authentication solutions are already gaining importance. Many organizations are moving to a strong two-factor authentication, using different solutions like tokens, Vasco, RSA, Verisign, Actividentity and many others. In addition, Software tokens like the OATH tokens, a Java midlet on mobile devices, SMS, scratch card, biometrics and other strong authentications have been deployed to protect online application against the hackers who are trying to steal users’ identities and making use of them.
DSSS, with a very powerful enterprise Authentication Server, is a major player in two-factor authentication (2FA) technology.
Being a “PKI” company that has moved to the 2FA, we woke up one morning and asked ourselves what else we could do once we have deployed two-factor authentication and how we could enhance the transaction security. We also asked why we could not use the strong authentication to certify the signing keys and enhance the transaction security with digital signature for non-repudiation
as well. With in-depth thinking and exploring, we came with the idea of One Time Private Key (OTPK) which allows the users to generate their signing keys and use their strong authentication to certify the signing keys and sign the transaction/document, hereafter the signing keys will be erased.
2. About OTPK
The main concept behind OTPK is that the Private Key is a One-Time Private Key. In a typical PKI (or asymmetric key) system, each user has to initially register securely (e.g. two-factor authentication) to the CA in order to be issued a digital certificate. Subsequently, with the possession of the certificate, the user can use the Private Key for the duration of the certificate validity to compute a valid and recognized digital signature for transactions.
In contrast, the Private Key in the OTPK system is for one-time or per-session use only. In the OTPK PKI system, a user will always generate a new Private Key by himself and register securely with the CA in order to be issued with a digital certificate for every transaction or for every session. Once the Private Key is used or when it is expired with the session, the Private Key is erased and discarded. There is no need to permanently store the Private Key in any media. Although such a process sounds cumbersome, the overheads are actually not much more than any mobile credential solution and the benefits are tremendous.
The setup of the OTPK requires the CA to have online authentication and certification facility to fulfill all certification requests at a much higher throughput than the existing PKI setups. The end-user machine would require a plug-in implemented entirely in software to generate the Private Key and send the public key for certification, to perform the digital signature operation, and then to securely delete the Private key. The plug-in can be implemented as a PKCS#11 or CAPI DLL or even as a zero-install Java applet embedded within the web browser. A focal point is in the authentication facility needed to support the CA. Since some organizations are already investing some forms of strong authentication infrastructure for e-business needs, the OTPK technology will enable them to extend their investment to support PKI without the overheads and extra costs. Note that there is no compromise in terms of security since the issuance of the certificate is done in the same manner for both typical and OTPK PKI, except that the number of certificate requests is much higher in the OTPK case. Face-to-face verification, which is usually done during the issuance of smart cards can also be done by OTPK during the issuance of the hardware tokens.
We might consider changing the words Public Key Infrastructure (PKI) to Digital Signature Infrastructure (DSI) to better reflect the simplicity we bring to the digital signature implementation, that is, everywhere, anywhere, anytime, full mobility with a very low cost of ownership.
3. Advantages Of OTPK
The advantages of OTPK over the existing PKI systems are:
No need for smart cards for entities;
Much smaller window of compromise;
A simple and straight forward enhancement of the 2FA with digital signature;
No need for large LDAP systems;
No need to maintain CRL;
Low learning curve;
Easy interface into two-factor / biometric or other authentication solutions;
Private Key always in the possession of the user (comply to many digital signature laws) and protocol is interchangeable for all asymmetric algorithms (RSA, Elliptic curve others) and can be used even on mobile devices;
Very scalable solution (can be deployed to many services that as for today could not fully deployed and use digital signature like, Consumer Banking, e-Bay, PayPal, Google, document management and can easily support millions of users);
Efficient and effective business and pricing model for CA (companies like credit cards, online trading, document management, and all the way to many government services can use a central CA to support all their services)
Very easy to change the signing algorithm it take to change the applet only to move from RSA 1024 to 2048, or use same application to use ECC and RSA for full mobility
4. Conclusion
The use of PKI for authentication failed when we tried to deploy it to the consumer users that need a low cost while full mobility solution. It is much easier to provide a strong user authentication with the two-factor authentication technology. Today many industries such as finance, health and others are moving and installing strong two-factor authentication solutions, for example, tokens, SMS, etc. in view of the needs, why not to use the two-factor authentication to certify the signing keys and move to the DSI concept that provide a strong non-repudiation
on top of the strong authentication. This will not only enhance the transaction integrity but also make it much more difficult for internal intruders to manipulate the transactions.
In the market we can find different solutions from various vendors that either generate for the user a key pair and keep the credential on their server and when you need to sign you will hash the transaction and send the hash to be sign on the server on the entity behalf, or solutions that send you the signing key encrypted and you use a phrase to decrypt the signing key and sign the transactions.
Both technologies were developed before the big “BOOM” and change in customer behavior after introducing the 2FA to the mass production, DSSS OTPK technology trying to solve the same traditional problem how to deploy a digital signature solution by moving away from the PKI concept to the DSI concept simplifying the certification process and reducing the overhead to implement digital signature to what you really need, “A DIGITAL SIGNATURE”
The OTPK system is a paradigm shift in PKI technology. It describes a simple and secure mechanism to deploy a large number of certificates across a large user base all over the globe with relatively little cost and logistics. DSSS is currently implementing the OTPK protocol and concept into the DSSS Authentication Server and further enhancing it with XKMS and WS-Security. More details of the Authentication Server can be found at http://www.datasecurity3.com The OTPK is patent-pending USPTO 60/590.348.
This article has been contributed by Zvi Efroni who is also the copyright owner. The views expressed in this article are of the author and not of the publication. Zvi is the founder and acting managing director of Data Security System Solutions Pte. Ltd. (DSSS). Previous to joining DSSS, Zvi was the Manager for Cylink Corporation Asia Pacific operations, and the Managing Director of Algorithmic Research (AR) Pte. Ltd., a leading data security subsidiary of AR Israel.
Zvi has extensive experience in managing the regional Asia Pacific Data Security companies for the past 10 years, developing markets and strategies for market Data Security solutions to major banks, governments and finance institutes in the Asia Pacific region, and participating in definitions and implementation of security and PKI solutions in large scale projects.
Zvi holds Bachelor of Science (B.Sc.) Electronic Engineering University of Ben-Gurion Beer Sheva Israel.
