Cryptography Reference
In-Depth Information
• there is no authentication between the user and the token (in which case
we have one-factor authentication that relies on the correct user being in
possession of the token).
We now briefly discuss an even stronger cryptographic primitive that can be
used to support entity authentication.
Zero-knowledge mechanisms
bring security
benefits but have practical costs. Nonetheless, it is worth at least discussing the
idea behind them, just to indicate that it is feasible, even though they are not as
commonly implemented in real systems as the previously discussed techniques.
8.6.1
Motivation for zero-knowledge
The entity authentication techniques that we have looked at thus far have two
properties that we might deem undesirable.
Requirement for mutual trust
. Firstly, they are all based on some degree of trust
between the entities involved. For example, passwords often require the user
to agree with the server on use of a password, even if the server only stores a
hashed version of the password. As another example, the dynamic password
scheme based on challenge-response requires the smart token and the server
to share a key. However, there are situations where entity authentication might
be required between two entities who are potential adversaries and do not trust
one another enough to share
any
information.
Leaking of information
. Secondly, they all give away some potentially useful
information on each occasion that they are used. Conventional passwords
are catastrophic in this regard since the password is fully exposed when it is
entered, and in some cases may even remain exposed when transmitted across
a network. Our example dynamic password scheme is much better, but does
reveal valid challenge-response pairs each time that it is run (see the remark
about
key exposure
in Section 10.2.1).
It would seem unlikely that entity authentication could be provided in such a way
that no shared trust is necessary and
no knowledge at all
is given away during
an authentication attempt, but amazingly zero-knowledge mechanisms can do
precisely this.
The requirement for a zero-knowledge mechanism is that one entity (the
prover
) must be able to provide assurance of their identity to another entity (the
verifier
) in such a way that it is impossible for the verifier to later impersonate the
prover, even after the verifier has observed and verified many different successful
authentication attempts.
