About KYPS
How it works
News
Mac spyware infiltrates popular download sites [Jun 1st, 2010]
Hacker sells 1.5m stolen Facebook username/passwords [Apr 25th, 2010]
Qakbot Steals 2GB of Confidential Data per Week [Apr 22nd, 2010]
Botnet used to steal credentials of over 800K users [Mar 3rd, 2010]
Stealing passwords advertised as major feature of new crimeware toolkit [Feb 10th, 2010]
German cops bust cybercrime forum [Mar 4rd, 2009]
Firefox plug-in Trojan harvests logins [Dec 8th, 2008]
Keep Your Password Secret
safely login despite keyloggers and spyware
This page provides a technical overview of some of the inner workings of KYPS. This overview is divided into three sections: the operation of KYPS (a) when generating one-time codes, (b) when you login, and (c) when you click on some link after you have logged into some website.
generation of one-time codes
KYPS generates always 40 one-time codes at a time, as follows. First it generates a list of 40 "pads", where each pad is a string of 144 pseudorandom bits.
If the the password of the account for which one-time codes are being generated has been registered with KYPS, then the KYPS server computes your list of one-time codes by bitwise xoring (the appropriate number of bits of) each pad with your password. The codes are returned to you in two formats: compact codes and word codes (see this page for detailed information on code formats). Note that the server deletes the codes shortly after the lists of codes have been sent to you. The list of pads, however, is kept in the server's database.
If, on the other hand, the password has not been registered, then then a Java applet computes your codes on your local machine, using the same mechanism as above. Note that, in order for this to work, you must type your password into the applet. It is, however, guaranteed that the applet does not leak your password in any way - you can easily check for yourself. Also note that the applet cannot generate word codes; it will generate your one-time codes only in the compact format.
Each one-time code on your list of compact codes and word codes is therefore nothing more than an encrypted version of your password, which can only be decrypted by the KYPS server. The security of this encryption, which is based on the one-time pad technique, depends on the randomness properties of the pads. KYPS generates the pads using an implementation of a secure pseudorandom number generator.
If the password is registered, then a third list of one-time codes is generated: the list of short word codes. The one-time codes on this list are not encrypted versions of your password, but rather pseudo-random bit sequences, encoded as words.
logging in
When you login using an untrusted computer, KYPS logs you into the website according to the procedure shown in the figure below. In that figure, it is assumed that you are logging into the website "example.com" with username "bob".
Note that, apart from logging you into the website, KYPS also acts as a kind of "reverse proxy", in a way that is similar to other (reverse) proxies that are used to avoid Internet censorship. This means that the webpage that is returned to you in the last step does not contain the original links from the page as it was generated by the webserver (example.com in the figure), but instead modified links that cause the browser to send subsequent requests through the KYPS server.
The links on the webpage that is returned to your browser look similar to the following.
Note the scrambled part of the link (i.e. the part marked in red). This part contains an encrypted version of the link from the original page. The KYPS server performs this encryption "on the fly" in step 7 of the figure above. The KYPS server also encrypts the cookies that are set by the web server, and sets the resulting encrypted cookies in the browser at the untrusted computer.
The reason for this encrypting is to help protecting against certain session hijacking attacks at the untrusted computer - see this page for more information regarding this type of protection.
clicking
When you click on a link on a reverse proxied webpage, your request is first sent to the KYPS server. This is because all the links in a reverse proxied webpage start with "https://kyps.net - see the part marked in green in the figure below. This is an example of what you will see in the address bar of your browser after clicking on a link on a page that is served by KYPS.
Note the scrambled part of the link (i.e. the part marked in red in the previous figure). This part contains an encrypted version of the link from the original page. Let's call this the "target" link. This encrypted target link is sent to KYPS inside the request. Also inside the request is an encrypted version of all the cookies that were previously set by the website. The following figure illustrates what happens when the KYPS server receives the request.
Note that, in accordance with its privacy policy, KYPS does not keep any record of which pages you are visiting, nor the content of those pages.