PowerAuth Specification

PowerAuth is a protocol for a key exchange and for subsequent request signing designed specifically for the purposes of applications with high security demands, such as banking applications or identity management applications. It defines all items that are required for a complete security solution: a used cryptography, a security scheme and standard RESTful API end-points.

A typical use-case for PowerAuth protocol would be assuring the security of a mobile banking application. User usually downloads a “blank” (non-personalized) mobile banking app from the mobile application market. Then, user activates (personalizes, using a key-exchange algorithm) the mobile banking using some application that is assumed secure, for example via the internet banking or via the branch kiosk system. Finally, user can use activated mobile banking application to create signed requests - to log in to mobile banking, send a payment, certify contracts, etc.

The protocol also supports end-to-end encryption and secure storage. Unlike the authentication, these features are currently experimental and require better validation by the cryptography experts and market.

Following chapters describe the cryptography that is used in PowerAuth.

These additional chapters provide additional insight in the practical protocol implementation.

For any questions related to the protocol, please write to [email protected]. If you believe you have identified a security vulnerability with PowerAuth, you should report it as soon as possible via email to [email protected]. Please do not post it to a public issue tracker.

Last updated on May 10, 2019 (14:12) Edit on Github Send Feedback


Mobile Token

PowerAuth Java Crypto