The aim of Serious Sign is to be able to use your mobile as a token using a Midlet application called Serious Sign. It works as follows:
When Serious Sign starts up for the first time it will prompt for a secret (see screenshots). This secret is to be shared, preferably out-of-band e.g. via SMS or pin-letter, between the midlet and the server. It will also prompt for an optional pin to ensure that no-one can use the secret even if the device is lost. You can then select the application:
- One Time Password: In OTP mode the midlet signs a time value derived from the phones clock.
- Signature: In signature mode the midlet signs a numerical challenge provided by the server at signing time.
The midlet (v2) calculates the HMAC-SHA1 value (v1 used plain SHA1) using the secret and the challenge or time value and presents a substring of the resulting hash (currently position 20-26, but this can be changed in the source). The server can do the same calculation and verify whether the response matches the request. Since the secret should be really secret only the owner of the secret can calculate the right response. A man-in-the-middle will only see varying responses, but will not be able to deduct the secret from the responses.
The OTP mechanism uses the phones clock (time in microseconds / 100.000, resulting in 100 second slots). As the clocks of mobiles do not need to be fully in sync, the test facility will try 10 slots before and 10 slots after the current time. If the OTP validation succeeds within this 20 slot window it will report the distance (e.g. -1) from the browsers time. In real applications the server can then decide if it still allows the OTP and update the users profile with the distance calculated so that the distance can be taken into account during the next OTP validation.
A note about clocks
The CLDC 1.0 spec says the phone should use UTC to calculate seconds since the epoch. My nokia does not take DST into account so the test facility compensates for that if needed. The sun emulators do take DST into account.
You can download the Midlet and use the software provided by your phone manufacturer to install the Midlet. Alternatively you can point your mobile browser to http://serious-thinking.nl/ssm