Tip

Authentication as a PKI service



When is PKI good for authenticating visitors to an e-business site, and when isn't it? Knowing the difference is essential for planning e-commerce security implementations and infrastructures. This tip, excerpted from InformIT,

    Requires Free Membership to View

discusses the ins and outs.


One reason to distinguish between local and remote authentication (and between initial and subsequent authentication) is to distinguish between where a PKI can be helpful and where it cannot. Specifically, a PKI would rarely, if ever (one might go so far as to say "never"), be used for initial authentication of a human entity to the local environment. This is because a user is unlikely to know a private key (due to its length) and, even if it were known, the user would be highly unlikely to be able to do cryptographic calculations with it.

Also, nothing intrinsic to the user (such as a thumbprint or retinal scan) could be said to be the private key of a signing key pair. Similarly, nothing the user does (such as typing characteristics or handwriting style) is deterministic enough (in a strict sense) to be usable for generating a key pair. Finally, although the user may have something that contains a key pair and is able to do cryptographic calculations (such as a smart card), such devices are so easily lost or stolen that they are almost never allowed to function without the user entering a password or a PIN.

Thus, initial authentication to the local environment, whether single-factor or multi-factor, does not use the services of a PKI. Authentication to a remote environment (or subsequent authentication within the local environment), on the other hand, can. When remote authentication does not use a PKI, there are two possibilities:

  • The user must authenticate explicitly to the remote environment.
  • The proof of authentication from the local environment must somehow be conveyed to the remote environment.

In either case, the communication between the local and remote environments must be properly protected; otherwise, an eavesdropper can simply copy the relevant data and later replay it, thereby successfully masquerading as the original, legitimate entity. Properly protecting the communications may mean employing mechanisms that are difficult to administer or that do not scale well to large environments, such as pre-establishing shared symmetric keys between the respective communicating processes.

For these reasons, the benefits in using a PKI for remote authentication can be attractive. The complexity of pre-establishing shared keys between processes is eliminated, as is the security risk of transmitting sensitive authenticating information (such as a password or a thumbprint) over a network. Rather, public-key technology is used to achieve the authentication using sophisticated challenge-response protocols and signed messages.

The distinct advantage of public-key-based remote authentication over mechanisms that mimic authentication to the local environment is that sensitive authenticating information, such as a password, is never sent over the network. If server Alice holds a copy of client Bob's password or thumbprint, Bob must authenticate himself by proving that he knows or has this information; this is typically accomplished by Bob conveying this information to Alice upon sign-on.


To read more of this tip, click over to InformIT. You have to register, but it's free.

Related book

Understanding Public-Key Infrastructure
Author : Carlisle Adams & Steve Lloyd
Publisher : Macmillan Technical Publishing
ISBN/CODE : 157870166X
Cover Type : Hard Cover
Pages : 320
Published : Nov. 1999
Summary:
This book is a tutorial on, and a guide to the deployment of, Public-Key Infrastructures. It covers a broad range of material related to PKIs, including certification, operational considerations and standardization efforts, as well as deployment issues and considerations. Emphasis is placed on explaining the interrelated fields within the topic area, to assist those who will be responsible for making deployment decisions and architecting a PKI within an organization.


This was first published in January 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.