What is Strong Authentication?

imageStrong Customer Authentication is the authentication (identification and authorization checking) by one entity on another entity on the basis of a digital attribute. It is usually used to identify users (and client components) to systems (and server components). Strong Authentication differs from regular (conventional) authentication in that the latter is based on a “shared secret” known by the two parties. The two parties are: the to-be authenticated party (users and client components) and the authenticator party (system and server components). Strong Authentication does not use a shared secret. Strong Authentication uses, instead, asymmetric encryption, meaning the to-be-authenticated party (users and client components) knows a secret (Private Key), which nobody else knows. The authenticator party (system and server components) knows the corresponding Public key but not the Private Key. WHAT IS THE PROBLEM OF A “SHARED SECRET”? (Conventional authentication scheme) If the user is not the only one who knows the secret, the administrator or the corporation has a problem. The user will be able to claim that he did not access the network. Somebody else accessed the network (authentication server) and knows “my secret”. Unfortunately he may be right. Nobody can refute his claim. HOW CAN YOU BENEFIT FROM STRONG AUTHENTICATION? The main benefit is that users can securely authenticate themselves to an application or system component. “Securely” means that no one can impersonate the authorized user, including the system administrator himself! The system administrator does not know the user’s private key! The administrator can surely corroborate that the user is, indeed the user, by simply opening a message signed by the user with the user’s Public Key. But he cannot sign a message with the user’s public key! To do so he would need the user’s Private Key. The administrator doesn’t know the Private Key; in fact no one knows it, only the user. In others words the user cannot be impersonated. This means that the access granted to him is not reputable. The user cannot deny that he accessed the network. This is a very important and valuable feature. If a hacker penetrates the authentication server, he cannot steal the user’s secrets, simply because they are not there. Also Strong Authentication eliminates the need to enter a user name and password as required by a conventional sign-on procedure. This provides a higher level of security access to applications. How is Strong Authentication Implemented in Practice? The conventional way to implement strong authentication is as follows: An authentication server generates a “challenge” and waits to receive the challenge, digitally signed by the user. The integration of the asymmetric encryption and digital signature capabilities into the signing device makes the latter a universal secure accessing tool. This gives application and system sign-on procedures the same high level of security as is obtained with digital signatures and digital encryption. Where can Strong Authentication be Used? There are many uses for Strong Authentication. In principle, it can be integrated into any client/server or multi-tier application to give clients or individual users access to specific system components. Strong authentication can also be used to implement a “single sign-on”. Users sign on to a specific server component (like an LDAP directory) just once and are granted access privileges to match their status. From then on, users can access other applications that they are authorized for without having to go through the sign-on (authentication) process for each application. One scenario is a user that logs in once in the morning at a desktop computer and has access (for the rest of the day) to the corporate Intranet, the internet, and various dedicated applications without having to enter a user name and/or password each time. How Does an Ideal Strong Authentication System Would Be? An ideal Strong Authentication system means identifying yourself as an authorized user to applications or system components (workstation systems, servers, etc.) in order to gain access with the utmost convenience. Utmost convenience means minimal effort by the user and total confidentiality. Imagine the signature device also computes an Identification message, including the GMT time-stamp, which is encrypted, totally dynamic, no constant parts and digitally signed. Let imagine also that the user just enters his PIN (known only by him, which is not transmitted) and the Signature Device computes the time stamped ID message, signs it and encodes it to sound. Yes, I mean sound an “acoustic” message. Now the acoustic message, carrying the digital signature reaches the PC microphone or a telephone and it is re-converted to a digital string. Therefore the users enters just a PIN, and the messages is not only confidential, but also un-trackable (no constant parts) In the Ideal Strong Authentication system like this, you are authenticated by an Acoustical Digital signature stamped on the Time-Stamped ID message. Sounds far fetched, fantastic and improbable? With over ten years of intensive development and innovations in strong customer authentication and digital signature, CIDWAY is shaping the future in banking, mobile payment, banking, corporate, government and homeland security.
Be Sociable, Share!

Tags: , , , , , , , , ,

This entry was posted on Wednesday, April 7th, 2010 at 5:02 am and is filed under University security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

 

About - Contact - Privacy Policy - Terms of Service