Cryptography Reference
In-Depth Information
•
If a user wants to authenticate himself with eBay, for example, he sends
the token ID and a one-time password generated on the push of a button,
together with his personal data to eBay. eBay, in turn, strips the personal
data, sending only the token ID and the one-time password over a secure
line to VeriSign. Finally, VeriSign checks the password for validity and
returns the result.
I think the model is pretty secure based on the interests of the parties involved:
eBay will not send personal user data to VeriSign, or it would disclose its cus-
tomer data and buying activities. The token vendors don't know where buyers
will eventually use their devices. They no longer participate in subsequent
transactions. For this reason, they have no interest in passing secret keys on to
others than VeriSign.
The obvious drawback of the method is that it binds you to a company as
mighty as VeriSign. There are certain doubts. But eventually, we always have
to weigh the advantages and disadvantages. If VeriSign demanded unacceptable
conditions for the checkup, the system would not survive in the market, and
token vendors might look for another host.
Bottom Line
The tokens discussed above appear to be a reasonable compromise in situa-
tions where secure authentication is most important. The data communication
between terminal or client and server can still be encrypted. The important thing
is that attacks will generally not go unnoticed, because the loss of an object is
more evident than stealthily listening in on a password. Tokens are cheaper and
easier to handle, compared with challenge - response methods (where servers
ask questions).
6.6 Other Protocols
Cryptographic protocols are too extensive and complicated a field to be rep-
resented in this topic, even in an overview. There is ongoing research in this
field so that new scenarios — both of practical relevance and theoretical inter-
est — are continually studied. Readers interested in further reading are referred
to the literature and the Internet.
The next sections briefly describe several ingenious and practically interesting
protocols. Similar to the cryptographic algorithms, the choice was made at will.
