Recent Entries
Weblog
Cool Projects using JSR82 [3] : PhoneID
June 20, 2007
Ah yes. Smart Cards. Remember them? In "the future" we'd all have smart cards, and they would uniquely identify us, and we could use them ....well...for everything. Logging in, swiping in to offices, securing our PCs, opening our front doors, car doors, paying for our shopping, using the train, and so on, and so on.
Except of course, that didn't happen.
Some manufacturers put Smart Card readers in their PCs and Laptops and waited expectantly for the "killer apps" to appear. Apart from certain SOX-or-security obsessed organisations, where people have to use them for work (or even for the photocopier), they haven't caught on. My mother's never used one, and she probably never will.
However, what smart cards were originally intended to do for the user remains attractive: a single sign-on for computers or the web wherever you are? One card to carry for payment, travel, car, house, office, etc., etc. In certain countries, what DID happen is that the mobile phone began to be used for some of these tasks. In Japan especially, they led the way in using the phone for small payments (vending machines, corner shops), train ticketing (swipe your phone at the turnstile, if you have the right model), and so on.
Which brings us to today's project: PhoneID, the brainchild of Naomaru Itoi. His pitch is to use something most people now have with them (duh, a mobile phone), as storage for your trusted web ids/passwords. He explains it much better than me - so I'm going to shut up.
Give us a brief description of the project. How did it come about - what was the inspiration?
The project, PhoneID, is a framework for using a mobile phone for user authentication. The inspiration was that every Internet user seemed
to be suffering from what I call a "password hell". We all need to remember too many passwords and type them too many times. We end up using the same password over and over, or writing them down, making us vulnerable to identity theft. It is scary that most websites and security applications rely on passwords for user authentication. Once the password is stolen, a cracker can completely impersonate you. All the carefully created security architecture is gone.
This problem must be solved somehow. Smart cards are supposed to be the savior, i.e., the single security token that provides single sign-on to all the websites and security applications. However, they are not growing rapidly enough because nobody has a smart card and a reader to start with.
I thought maybe a mobile phone could be the security token for single sign-on. Almost every Internet user already has a mobile phone, and it has much computational power. Thanks to technologies like Bluetooth and JSR-82, it can communicate with a host PC at a high rate. It is a very good replacement for a smart card. This is how I started PhoneID.
In PhoneID, a J2ME enabled mobile phone stores user secrets such as passwords and keys. The phone would send passwords and other information to a host computer through Bluetooth and JSR-82.
Currently, it supports Windows Login through pGINA, and Website Login through Internet Explorer. We will expand it to support one time passwords, PKI, file encryption, etc. Check it out at http://www.phoneid.org/
Tell us a little bit about yourself. What's your background? What are you working on in general?
I was born in Japan, and came to the United States for a graduate school. I received a Ph.D. from the University of Michigan, working on secure hardware (smart cards, HSMs) integration into modern computer systems. After that, I have worked on smart cards and cryptographic programming at Sun Microsystems, ActivIdentity and Arcot Systems. I left a job at Arcot to found PhoneID.org, and this is my main project now. The mission of PhoneID.org is to solve the password problem using a mobile phone.
My resume can be found here.
http://www.citi.umich.edu/u/itoi/resume.html
How long have you been working on the project
2 and half months.
What stage is it at now?
The first two applications, Windows Login and Website Login, are in production.
What inspired it. Were there particular limitations of JSR82 or other technology that you were trying to address?
The password hell inspired it. JSR-82 technology has been good enough for me.
What was the biggest problem or roadblock you had to deal with in the project?
The biggest problem is that not all (or not many enough) mobile phones support JSR-82. But I believe this is changing.
In terms of technology, there were a couple of things:
• There is no widely used tutorial to learn J2ME and JSR82 programming. Ben Hui's web site comes the closest.
• There is no ASN.1 parser that runs on J2ME device. I had to write a simple marshaling tool.
• Configuration of Bluetooth device on Windows is done manually, and not pragmatically. I would like to automate this in an installer, but it is hard.
How do you see the results of the project being used?
It is getting attention. The next step is to make it used by a lot of people.
What's next? What do you hope to work on over the next 12 months?
I would like to integrate PhoneID with KeePass, which is an open source password management program. By doing this, KeePass users would be able to store and view their passwords on a J2ME phone. JSR-82 will play a crucial role here, too.
After that, there are many things I would like to add to PhoneID. Implement one time password, especially OATH, with J2ME and send the result to PC through JSR-82. Implement PKI (digital signature) with J2ME and integrate it into existing e-mail applications. Implement file encryption with J2ME and integrate it into encryption software like TrueCrypt.
Anything else I should have asked you? Anything else you'd like to say?
PhoneID tries to solve the real, widespread problem of the password hell. As far as I know, it is the first project to use a mobile phone to attack this problem. It is also unique in that it is an open source project. I chose this route because I wanted to solve many people's problems, not just few. Right now I have no income, but I am looking for a way to make enough money to survive, while keeping this project open source. It is essential for an open source project to get many users and developers involved, so please join in my effort.
Once again - you can get all the information at http://www.phoneid.org/
Thank you for taking your time.
Comments
In your post on "Cool Projects using JSR82 [3] : PhoneID", you pose the question "What was the biggest problem or roadblock you had to deal with in the project?" and have under one of the bulluts "There is no ASN.1 parser that runs on J2ME device. I had to write a simple marshaling tool."
Please see http://www.oss.com/products/asn1java/enhancements.html for information on an ASN.1 Tool that does support J2ME.
Paul E. Thorpe