back to Keyfusion Systems Inc. home page Keyfusion System Software

Keyfusion produces five software products that cover authentication and non-repudiation for both e-commerce transaction assurance and secure network access. This software is sold separately or bundled together for complete Transaction System Server software or Access System Server software. Keyfusion also makes licensing our technology easy, to learn more click here.

Key Distribution Server (KDS)
Generates RSA key pairs on the fly and uses key generation algorithm to encrypt the keys using 3DES for distribution and storage.

The KDS, or Key Distribution Server, generates RSA key pairs for distribution to the end user client. The KDS generates a key pair upon registration, vetting of the end user clients identity is not a function of the Keyfusion technology. The network customer must determine their own standards to evaluate a request for a key. The KDS reads the end user clients root number on their browser plug-in and uses the key generation algorithm to run a function on the root number and generate a secret key. This key is then used to encrypt the private key using the 3DES block cipher in streaming cipher mode. The private key is then distributed to the end user client. The private key is stored on the end user clients Privacy Plug-in browser module. Once completed the end user makes a request to an e-commerce web server for a transaction, or a network database server for access. The end user client is authenticated before gaining access to the network. KDS implementations store the public key of the key pair in a database module known as an LDAP.

Authentication Server (AS)
Retrieves keys from Privacy Plug-in for authentication. Following the Matrix design principle where a number of other methods are used for authentication including flag files, browser serial number, plug-in root number, password, and when available the Reference key.

The Authentication Server (AS) uses the public key to authenticate all transactions. The AS does this by first issuing a random transaction number for the end user. The transaction number is different for every transaction and generated by a Monte Carlo random number generator. The AS server will issue flag files unique to each end user to protect the Privacy Plug-in. The flag files will be checked before issuing the transaction number and the key generation algorithm to the browser plug-in. The key generation algorithm runs a function off the Privacy Plug-in root number to generate the secret key. The secret key then runs through the 3DES function running in stream cipher mode to decrypt the private key. The Private key then encrypts the transaction number. This encrypted transaction number is returned to the AS along with the end users password, their root number and the reading of their system clock. The AS quires the Keyfusion LDAP database with a request for a file addressed to the end user. The public key in that file decrypts the transaction number. If this decrypted number matches the original transaction number issued to the end user and the users system clock is within the default time allotment (typically 5 minutes), the flag files are present and the browser ID matches along with the password then the end user is authenticated.

Transaction Server (TS)
Provides real-time non-repudiation services to a transaction, including a signed message digest of the receipt or agreement.

Keyfusion uses the XML language to create web-based documents that can be generated on the fly from data entered directly from the transaction. The Transaction Server then creates a message digest of the document using SHA. The end user then signs the message digest with their private key to create a legally binding digital contract. The XML based document can be customized to provide a basic e-commerce receipt, to an online logbook for access to a server appliance, to more complex and lengthy online contracts and agreements. The Transaction Server allows these online documents to be generated on the fly and distributed in real-time for the end user to sign.

Lightweight Access Control Directory Database (LDAP)
Stores the public key of the key pair along with all other Matrix design account data. File data is stored under the customer's plug-in root number. No identifying personal information is stored.

The LDAP, or Lightweight Directory Access Protocol, is the core database in which all end users public keys are stored for authentication. End user files are stored using their unique browser plug-in root number, which is issued by Keyfusion with the download of every Keyfusion Privacy Plug-in module. No two Privacy Plug-in modules have the same root number. The LDAP record is not an open directory like in a traditional PKI, much like Keyfusion also keeps public keys secret, the LDAP directory database is also kept secret. It is a closed system accessed only by the AS server. The LDAP stores the end users public key, password, browser ID, flag files, and root number. The end users name and personal information is never stored in the Keyfusion system. Accounts are stored in complete anonymity.

Reference Key Server (RKS)
Retrieves Reference key from plug-in and authenticates at issuing bank, which acts as the CA in a transaction hierarchy.
The Reference Key Server offers a CA structure to the Keyfusion system allowing us to develop an end-to-end transaction system from the consumer to the bank or card issuer for authenticated secure transactions. This end-to-end solution will be centered on the e-commerce provider who controls the customer base, customer information, account transaction, and non-repudiation. The relationship exists from the consumer to the e-commerce retailer, and then from the e-commerce retailer to the bank or card issuer. A separate relationship exists between the bank or card issuer and their customer. Thus a triangle of authentication is created with the bank or card issuer acting as the over-riding CA verifying the validity of a customer who presents a method of payment drawn on their bank or agency. Once the validity of the customer has been established on their first visit to the e-commerce retailer, the retailer then controls the one to one relationship with the customer knowing that they have been authenticated. This process of authentication is based on the Keyfusion PKI structure. The bank issues a Reference key to every user with a valid account. The e-commerce retailer issues a key pair to every one of their customers once the Reference key has been verified.

System Servers
This software is sold separately or bundled together for complete Transaction System Server software or System Access Server software. A single Transaction Server is available for purchase that bundles each of the KDS, AS, TA, and LDAP software modules into one server platform. The System Access Server is designed to provide network authentication without the need for non-repudiation and consists of the KDS, AS, and LDAP software modules on a single server platform. For reliability purposes, it is possible to have backup and fail-over Keyfusion System Servers. These are referred to as slave servers. The slaves all synchronize their databases from the Keyfusion LDAP.

Keyfusion Privacy Plug-in
The Keyfusion Privacy Plug-in can be downloaded free of charge from our download page. Consumers use the Privacy Plug-in to securely store private keys issued to them by e-commerce web sites or an enterprise network that is enabled with the Keyfusion system. The Keyfusion Privacy Plug-in prompts the consumer for a password, just as many e-commerce web sites currently do, to allow access to the customers account. The use of the private key for authentication and digital signatures occurs invisibly in the background. After the consumer has made their purchase they are issued a digital receipt of the transaction just like the paper receipt they would receive from a brick and mortar store. The consumer saves this receipt to their hard drive to keep a record of all their transactions.

Keyfusion Privacy Plug-in is the client module that securely stores and processes the end users private keys. In Keyfusion, all authentications take place between clients and servers. The Privacy Plug-in module is software that is downloaded for free to run on their browser and securely store all their private keys. The plug-in software also executes the Keyfusion functions for authentication and non-repudiation using the end users processing power. All operations in the Privacy Plug-in module are completely transparent to the end user. A Privacy Plug-in is typically a client user, but any principal can be a client (unless for some reason the administrator has explicitly forbidden this principal to be a client). Every Privacy Plug-in is issued with a unique root number for identification and processing of the key generation algorithm. All root numbers are different and issued sequentially. Flag files are also distributed to the Privacy Plug-in and end users PC from the AS server. These are required to ensure the Privacy Plug-in module has not been stolen. Authentication proceeds by a search of directory files until the flag files are verified. In Keyfusion the Privacy Plug-in is any entity that gets a transaction number from a Keyfusion Transaction Server, encrypts the transaction number with a private key that is securely stored on the 'key chain' in the clients browser.

To Download the Keyfusion Privacy Plug-in for FREE, click here.

download our free plug-in
learn more about who we are
learn more about our markets
recent news
contact Keyfusion Systems Inc.