Authentication based on signing a challenge

OpenSignX is a Java applet that gives browsers the capability of generating client-side signatures using PKI X.509 digital certificates. This applet is based on www.openOCES.org. It uses PKCS#11 Java keystores to generate XAdES electronic signatures that envelope one or more documents.

OpenSignX code is available for download at SourceForge.net.

OpenSignX can be used as an alternative to user authentication for websites as it allows users to authenticate by signing a challenge presented to them by the server of the website they want to access. On receiving the signature, the server verifies that the signed text derives from the challenge it provided.

Challenge–response authentication prevents signed-token-resend attacks (to which other authentication methods not based on challenges are vulnerable, such as the OpenLogon method included in openOCES's OpenSign).

So, this authentication method is immune to phishing or man-in-the-middle techniques used for attempting to gain fraudulent access.

In addition, challenge signing combines the challenge with a random value. This protects the user against being sent a challenge with semantic content for fraudulent purposes from the server.

To run the examples you may want to get a digital certificate that automatically installs in your browser.

OpenSignX has partially been subsidized by the Centre d'Innovació i Desenvolupament Empresarial (CIDEM), of the Work and Industry Department of the Generalitat of Catalonia, under the project "DinaCert: Dinamizador de Firma-e para PYME basado en Certificados del DNI-e y otros PSCs" (DinaCert: E-Signature Dynamizer for SMEs based on DNI-e Certificates and other PSCs).