When is PKI good for authenticating visitors to an e-business site, and when isn't it? Knowing the difference is
essential for planning e-commerce security implementations and infrastructures. This tip, excerpted from InformIT, discusses the ins and outs.
One reason to distinguish between local and remote authentication (and between initial and subsequent authentication) is to distinguish between where a PKI can be helpful and where it cannot. Specifically, a PKI would rarely, if ever (one might go so far as to say "never"), be used for initial authentication of a human entity to the local environment. This is because a user is unlikely to know a private key (due to its length) and, even if it were known, the user would be highly unlikely to be able to do cryptographic calculations with it.
Also, nothing intrinsic to the user (such as a thumbprint or retinal scan) could be said to be the private key of a signing key pair. Similarly, nothing the user does (such as typing characteristics or handwriting style) is deterministic enough (in a strict sense) to be usable for generating a key pair. Finally, although the user may have something that contains a key pair and is able to do cryptographic calculations (such as a smart card), such devices are so easily lost or stolen that they are almost never allowed to function without the user entering a password or a PIN.
Thus, initial authentication to the local environment, whether single-factor or multi-factor, does not use the services of a PKI. Authentication to a remote environment (or subsequent authentication within the local environment), on the other hand, can. When remote authentication does not use a PKI, there are two possibilities:
- The user must authenticate explicitly to the remote environment.
- The proof of authentication from the local environment must somehow be conveyed to the remote environment.
In either case, the communication between the local and remote environments must be properly protected; otherwise, an eavesdropper can simply copy the relevant data and later replay it, thereby successfully masquerading as the original, legitimate entity. Properly protecting the communications may mean employing mechanisms that are difficult to administer or that do not scale well to large environments, such as pre-establishing shared symmetric keys between the respective communicating processes.
For these reasons, the benefits in using a PKI for remote authentication can be attractive. The complexity of pre-establishing shared keys between processes is eliminated, as is the security risk of transmitting sensitive authenticating information (such as a password or a thumbprint) over a network. Rather, public-key technology is used to achieve the authentication using sophisticated challenge-response protocols and signed messages.
The distinct advantage of public-key-based remote authentication over mechanisms that mimic authentication to the local environment is that sensitive authenticating information, such as a password, is never sent over the network. If server Alice holds a copy of client Bob's password or thumbprint, Bob must authenticate himself by proving that he knows or has this information; this is typically accomplished by Bob conveying this information to Alice upon sign-on.
To read more of this tip, click over to InformIT. You have to register, but it's free.
Related bookUnderstanding Public-Key Infrastructure
Author : Carlisle Adams & Steve Lloyd
Publisher : Macmillan Technical Publishing
ISBN/CODE : 157870166X
Cover Type : Hard Cover
Pages : 320
Published : Nov. 1999
This book is a tutorial on, and a guide to the deployment of, Public-Key Infrastructures. It covers a broad range of material related to PKIs, including certification, operational considerations and standardization efforts, as well as deployment issues and considerations. Emphasis is placed on explaining the interrelated fields within the topic area, to assist those who will be responsible for making deployment decisions and architecting a PKI within an organization.