The Alauda PBY smartphone client application is a secure Signature Creation Application (SCA) for smartphones. The Alauda SCA is used to implement mobile subscriber’s mobile PKI service. The smartphone application works together with the Kiuru MSSP platform and the backend Hardware security module to deliver a remote signing solution with highly assured control of PKI keys. The app always keeps a part of the private key which assures user sole control of the key.
- Two-factor authentication (2FA) with out of band transaction approval
- Key spliting technology for distributing signing keys between HSM/SAM and the app client
- Secure remote protocol for managing user authentication
- End-to-end message security
- Compliant with eIDAS and CEN 419 241-2 protection profile for remote signing
Split Key mechanism for Remote PKI Key management
User signing keys in Alauda PBY are generated at a remote Hardware Security Module (HSM). The key generation is initiated by a KeyGen operation requested by the app. After key pair generation, the HSM encrypts the private key and exports the encrypted key to the Signature Activation Module (SAM). The SAM splits the encrypted key into two parts
- Local Part stored in the SAM database,
- Remote Part stored on the smartphone
When the App receives the KeyGen response, it asks the user to define a PIN which is used to create an encryption key used to encrypt the Remote Part before storage on the smartphone.
Key splitting guarantees that both the Alauda PBY client application, the remote signature activation module and hardware security module must be present when signing.
Zero-knowledge User authentication
User authentication to the signing key in Alauda PBY is via a PIN, Fingerprint or FaceID (iOS only) defined by the user using the initial activation. PIN verification is based on a zero-knowledge proof. The zero-knowledge proof is a method by which the App can prove to the SAM that the user knows the PIN value, without conveying any information of the actual PIN value.
The protocol Alauda PBY uses is the Secure Remote Password protocol (SRP). Currently there are many standardized variations of the SRP in IETF and ISO. Alauda uses SRP6(b) version. With Alauda SRP6, the value of the PIN is never stored either in the App or on the server.
SRP6 is a secure password-based authentication and key-exchange protocol. It solves the problem of securely authenticating users without exchanging PIN values over the network. This way, even if the entities are compromised, it would not allow the attacker to impersonate the client. In addition, SRP6 exchanges a cryptographically strong secret as a by-product of successful authentication, which enables the two parties to communicate securely.
All messages to Alauda PBY app are sent using TLS and encapsulated in Alauda PBY protocol. Alauda PBY protocol is an end-to-end encrypted protocol from SAM server to Alauda PBY App.
Encryption keys are exchanged dynamically during activation. Similarlly, all messages contain a Message Authentication Code (MAC) for authenticating messages between the app and the remote SAM.
Simplified user enrolment and activation
Activating Mobile ID on Alauda PBY is as easy as downloading the app, registering on an RA portal and scanning a QR code. Thereafter, the user can start using Mobile ID through the Alauda PBY app.