Transaction Security

The security of the Bekoz Mobile system is built upon the tamper resistant modules at both the mobile handset (in the form of a SIM based on java Card technology) and the Hardware Security Modules (HSM) based at the central Bekoz service. Cryptographic keys (diversified so that no two keys are the same), are stored at each device and allows for the end-to-end secure communication necessary to ensure the overall security of the Bekoz service.

Identity verification

Identity verification is performed through the generation and validation of One Time Passwords (OTP) which are a pseudo-random sequence of numbers which seem completely random yet follow a known sequence governed by a secret key. Transaction replay is completely eliminated by generating a new OTP for every transaction. The OTP can only be generated at the SIM after the successful input of the PIN. OTP can only be checked by Bekoz.

Message authentication

A message (including the OTP described above), can be put through well known and respected one way hashing functions such as SHA 1 generating a message digest. This message digest is then encrypted using the secret key to generate a Message Authentication Code (MAC). When a message is received, a new message digest is created and compared with the decrypted MAC. If the two are the same then the message has not been modified on route and the message is authentic. Even a single bit change or transposition is detectable by this means.

Message Confidentiality

Bekoz takes its information extremely seriously and no user information is shared outside Bekoz without the express permission of the Bekoz user. Such authorization is requested by secure message to the user’s mobile phone which requires the entry of the PIN to authorize information distribution.
All messages from the user to Bekoz are checked for validity from a combination of caller id (provided from the mobile operator) OTP and MAC provided from the SIM after PIN validation.
In addition, all messages from Bekoz to the user may be encrypted and can only be read on the destination mobile phone upon entry of the corresponding PIN which authorizes the secret key in the SIM to decrypt the message.