Nov 24th 2021

Zalter Asymmetric Key Authentication System

Zalter launches the first on market passwordless authentication system based on asymmetric key cryptography.
Valentin Popescu

Security engineer

On November 24th 2021, Zalter managed to launch the first on the market Asymmetric Key Authentication System (AKAS). We could not be more excited about how our team members have come together to produce this state-of-the-art security system for the web. This technology has been proven for many years before in systems like SSH, SSL, TLS, PGP, banking, aviation, military and many other industries, but has never been made available to the general public.

We decided that this has to change so with the recent changes in the browsers that allow them to create asymmetric keys and store them in browser storage, we seized the opportunity to bring this amazing system to the one market that needs it the most. With this, we envision solving the most prominent problems in the web industry that have been made even more obvious by the recent pandemic: account take overs (ATO), phishing, impersonation and many other issues related to stolen digital identity, when people needed the most (remote work, online classes, stay home, isolation, etc.).

We cannot stress enough about the damages that such stolen identities and their actors can harm our society in these trying times, so we turned to the technology in an attempt to solve what we see as the biggest issue in the market at the moment.

We bring to the market AKAS.

What is AKAS?

Asymmetric Key Authentication System stands for the system that allows the browser to create a public + private key pair through advanced mathematical problems like prime numbers, factorization or elliptic curve cryptography, and allow the hash creation for every message or request that is being created or sent from the browser. The private key, as the name suggests, is kept private in the browser storage and is never sent through the wire to any server. We understand that some people would claim that HTTPs should be enough, but we all know that man-in-the-middle attacks (MITM) are possible due to certificate authority poisoning on customer machines, or in unsecured networks (public wi-fi networks, corporate/enterprise guest networks, etc.).

The way Zalter libraries, then, sign the requests, do not allow for these requests to be intercepted, changed, or otherwise modified, nor can they be replayed (replay-attack), which is one of the common type of attacks against OAuth/cookie based systems. Due to the fact, that the private key is never sent, neither unauthorized people in the network nor the ISPs, or any other third-party entity is able to alter the messages or requests.

Our technology can also be used, due to its nature, as a legal biding message between the users and the providers of services because of the non-repudiation aspect of signature mechanisms.

How it works

A user visiting a service or product provider (website), attempts to login proving a secure contact method, such as email (later on we’ll support SMS), a short living one-time code is generated on Zalter servers and sent to the user contact recipient. The user will enter the given code in a form; at which point; the library generates the key pair (currently RSA4096 or higher), and sends the public part to Zalter authentication service along with a signature and the above mentioned code. This allows us to ensure that the user is known by our systems. All subsequent requests made by the user to either our services or the website of our direct customer are signed with the private key, but this private key is never sent along with the requests.

An access key that has been generated on storing the public key is sent instead to help us identify the user public key which can then be used to verify the authenticity of their messages and requests.

The website owner (our direct customer) servers upon receiving a request from the user can, by using a private service account identity via our server-side libraries, requests the user public key and verifies the signature of the original request. Neither the contents of the requests nor any other information regarding this request is sent to us. This ensures the privacy of your users unlike other signature based authentication systems (symmetric keys), and further more ensures that the message has never been tampered with by any third-party entity.

Valentin Popescu

With over 20 years of experience serving companies from banking to gaming comes with a plethora of tech skills ranging from architecture to AI.