From InfoAnarchy
Jump to: navigation, search

See also: Identity | Security

Aka: Permission

The opposite of being anonymous; authentication is the verification of identity, assuring that communication is from who the source claims to be. People often need to prove their identities in order to receive goods and services. Passwords and keys are often used for authentication.

Authentication is a defence against tricksters or Internet eavesdropping, fraud and forgery, sometimes known as "spoofing."

Common authentication services used in the Internet are often not well designed and are therefore weak. Some exploitation of user verification vulnerabilities allow for crackers to attack systems.

Authentication protocols includes Kerberos, RADIUS, its successor DIAMETER and some LDAP applications. Some applications also use PGP/GPG systems to prove identity. There are two kinds of authentication in computer programming - user authentication and message authentication, as in digital signatures.

User authentication

User authentication can be done by many means, usually it is the combination of one ore more of the following means:

  • Checking something you know, e.g. a password or answering right a private question for some phone services.
  • Checking something you own, e.g. a smartcard or a other authentication token.
  • Checking something you are, e.g. biometrics, as in using fingerprint reader or retinal scanner and comparing with stored biometric data.

A common combination in banking application is using a smartcard (something you own) protected by a PIN (something you know).

Message authentication

Message authentication is commonly done in one of the following ways:

In commonly used protocols liek SSL/TLS and SSH digital signatures and Diffie-Hellman key exchange are used to agree to a secret to be used for computing a MAC. This makes session establishing quie expensive but the reminder of the communication quite cheap.

Related Topics