Re: Zero Knowledge Authentication? (was Cryptolog Unicity Software-Only Digital Certificates)

[Anton Stiglic]

 Previously used primarily in scientific/academic applications, zero
 knowledge authentication is a method of proving a user's identity without
 revealing his password to the verifier.

So anybody knows exactly what this zero-knowledge authentication is
that they use?

 Using this technology, Unicity
 allows companies to issue digital certificates securely on a software-only
 basis, eliminating the need to supply employees, partners and clients with
 special hardware, or to require them to locally store certificates on
their
 computers. The private data is never stored on the user's hard drive, and
 is erased from the RAM as soon as the user no longer needs it.

This part about storing private keys on a server is not novel.  The company
that I work for has a similar solution with respect to this, it's called
HotSign:

http://www.okiok.com/index.jsp?page=Hot+Sign

--Anton

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Zero Knowledge Authentication? (was Cryptolog Unicity Software-Only Digital Certificates)

[Joseph Ashwood]

- Original Message - 
From: R. A. Hettinga [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 10, 2003 8:47 AM
Subject: Zero Knowledge Authentication? (was Cryptolog Unicity
Software-Only Digital Certificates)


 Launch Marks the First Commercial Use of Zero-Knowledge Authentication

I've snipped the rest, because it is primarily not useful beyond this. They
are highly incorrect about their lauch being the first commercial use of
ZKA, as a matter of fact I was involved in implenting one for commercial
use, and I was a part of a mandatory workfoce reduction (aka laid off)
from that company 2 1/2 years ago. I will admit we never referred to it as
Zero Knowledge Authentication which just sounds like a mass of crap thrown
together to sound geeky. Instead we used zero knowledge proof of knowledge
(in particular a PIN), and used that proof to provide authentication. I can
also tell you that if you're dealing with some high security requirements
(such as the claim of high security in the press release), there are some
very tricky situations and I found a number of unpublished attacks against
such systems (all were addressed before the product shipped, except the one
I address below which is inherent). So to anyone looking at such a system, I
recommend that they give it at least 2 years to mature and be attacked, and
even then make sure that a number of worthwhile names have actually looked
at the protocols involved, and the implementation.

With that said, I see little reason that such systems need to exist, you
continually end up coming back to but what is it actually good for the
truth is that with a small piece of knowledge, only a small number of
accounts need their existance known to compromise the system. An example,
simple PIN-based system, e.g. ATM bank card network, PIN must be at least 4
digits, and a maximum of 6. First, statistically the vast majority of PINs
will be 4 digits. Now contrary to reality, we will assume that the pins are
chosen randomly (most people choose a pattern). The fact is that with 4
digits there are only 10,000 possible pins, so only 5000 guesses need to be
made to on average have broken into one account. From there the standard is
that each account is given 3 guesses before disabling, so only 1667 cards
have to be uncovered in order to break into an account. Now realistically,
how long will this take? Here in the US ATM cards can be uniquely identified
by 16 digits (it's been linked into the Visa network), this makes acquiring
the card number easy. Acquiring the number of 1667 cards is almost trivial.

On such high security systems, they invariably have further problems. The
base information required for a user to log in can be downloaded free of
security (for roaming), this allows an attacker to simply download all the
login credentials for the entire enterprise. In many cases large companies
will have more than 1667 people who have root access on the network. This is
a fatal flaw for the design, and unfortunately for such systems this is a
flaw that cannot be addressed except by switching to passphrases, something
that would lower their usability (their biggest selling point) to the same
level of all other secure systems.
Joe

Trust Laboratories
Changing Software Development
http://www.trustlaboratories.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Zero Knowledge Authentication? (was Cryptolog Unicity Software-Only Digital Certificates)

[R. A. Hettinga]

http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_viewnewsId=20031210005099newsLang=en



 
December 10, 2003 09:02 AM US Eastern Timezone
Cryptolog Introduces Unicity -- the First Software-Only Solution Enabling
Digital Certificates to Be Issued in High Security and High Volume
Environments




Infosecurity 2003

Booth # 144

 NEW YORK--(BUSINESS WIRE)--Dec. 10, 2003--

 
Launch Marks the First Commercial Use of Zero-Knowledge Authentication
 

Cryptolog, a leading data security and cryptography firm, today launched
Unicity, a new software-only solution that deploys digital certificates to
end-users based on zero knowledge authentication and virtual smart cards.
Unicity marks the first commercial use of zero knowledge authentication.

Previously used primarily in scientific/academic applications, zero
knowledge authentication is a method of proving a user's identity without
revealing his password to the verifier. Using this technology, Unicity
allows companies to issue digital certificates securely on a software-only
basis, eliminating the need to supply employees, partners and clients with
special hardware, or to require them to locally store certificates on their
computers. The private data is never stored on the user's hard drive, and
is erased from the RAM as soon as the user no longer needs it.

How Unicity Works

1. Zero knowledge authentication

2. Retrieval of internal key

3. Retrieval of virtual smart card with encrypted data

4. Local decryption

5. Use of the private key

Unicity Offers A Clear Competitive Advantage

With regards to digital certification, none of the current solutions to
distribute private keys to end-users offers an ideal trade-off between cost
and security. With its virtual smart card technology, Cryptolog offers a
highly secure, easy-to-use solution to store digital certificates and
private keys. The solution can be used with or without an existing PKI and
is highly adaptable in a variety of contexts, such as online banking and
transactions, digital signature, secure collaborative work, data
protection, secure e-mail, strong authentication, simple PKI deployment and
digital vote.

Our Unicity solution solves the problem of private data storage typically
associated with Public-Key Infrastructures (PKI), stated Alexandre Stern,
president of Cryptolog. By replacing smart cards or USB tokens with our
innovative software system, customers will experience a simpler and faster
deployment and receive a much lower total cost of ownership.

The Unicity solution consists of a virtual smart card server and various
applications, available as plug-ins or as Java applets, and enables users
to complete the following tasks:

-- Authenticate and certify transactions

Especially appropriate to financial services firms and payment providers,
Unicity helps protect against electronic fraud by giving each employee or
client a unique digital identity. A user can then use this identity to
authenticate himself or to digitally sign transactions.

-- Encrypt and sign e-mails

The digital identities provided via the Unicity solution can be used to
encrypt and electronically sign emails, giving legal value to digital
documents. Users do not need to change anything to their existing mail
infrastructure.

-- Implement a secure collaborative platform

Combining Unicity software with a server dedicated to data storage,
customers can be provided with a 'virtual safe.' Users can store documents
securely and provide access rights to select individuals. The platform also
manages the digital signature feature adapted for collaborative projects,
notably in the legal field or for research-based projects.

Release of the Unicity Solution follows two years of intensive research
work in Europe. It is compatible with a variety of software applications,
including: Internet Explorer, Netscape Navigator, Mozilla (for strong
authentication), Outlook, Outlook Express, Netscape Mail, Lotus Notes v6
(for e-mail signature and encryption).

About Cryptolog International

Founded in 2001, Cryptolog is a leading data security and cryptography firm
dedicated to protecting companies' and governments' sensitive information
and fighting digital fraud on open networks. Cryptolog has assembled a
world-class team of cryptography researchers to develop innovative
approaches to distributing secure content to end-users, as well as private
keys used within a Public-Key Infrastructure (PKI). Cryptolog is currently
working with two of the largest French banks, a leading European insurance
company, two of the world's largest telecom operators and various
governmental agencies. Additional U.S. customers are expected to be
announced in early 2004.
Contacts Citigate Cunningham
Sandy George, 617-374-4210
[EMAIL PROTECTED] this release
Terms of Use   |   © Business Wire 2003

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar