Authentication on Mobile Devices – Crypto and
Session Topic: New Cryptographic Authentication Method for Mobile Devices with Optional Biometrics
Convener: Francisco Corella, Karen Lewison
Notes-taker(s): Karen Lewison
Passwords are difficult to use on mobile devices, and provide little security. Francisco presented a new authentication method that does not require passwords. The slides can be found at http://pomcor.com/documents/NewAuthMethod.pdf.
• No passwords (neither ordinary passwords nor one-time passwords)
• Public key cryptography without certificates
• Optional biometric authentication, without storing a biometric template
• Optional use of a trusted 3rd party
• App developers insulated from cryptographic and biometric complexities
• No browser modifications needed on mobile devices
• Can be adapted for desktop/laptop use via browser plug-ins
Questions from participants:
1. Does the technique for biometric authentication without storing a template apply to other biometric modalities besides iris? Yes, it is independent of the modality, and can also be used to implement physical unclonable functions (PUFs). See blog post http://pomcor.com/2012/10/07/consistent-results-from-inconsistent-data/.
2. How are the credentials created? There is a section on user registration in the white paper http://pomcor.com/whitepapers/MobileAuthentication.pdf.
3. Can the authentication token be captured by a man-in-the-middle attack? No, because the connection from the PBB to the VBB is protected by TLS.
4. How do you deal with a malicious native app registering a custom scheme used by a legitimate application? We assume that all apps in the device are trusted. If that is not the case, the PBB can be embedded in the native application front-end to avoid the necessity of interapp communication between the PBB and the native front-end of the legitimate application.
5. Has this method been subjected to cryptanalysis? We presented it to the NIST Cryptographic Key Management Workshop in September 2012, and we intend to send a paper to a peer-reviewed conference.
6. Can the method for regenerating a RSA key pair from a biometric key be used to bind a signature made by the private key to a biometric? Francisco wasn't sure.