Service authentication

From HandWiki

Service authentication refers to the identity verification process from the service provider to the user. So far, virtually all types of authentication have been a user authentication where a user provides his or her credentials to the service in lieu of the service providing its identity credentials to the user. There has been a steady rise of needs for service authentication to protect users from the malicious hacking attack, commonly known as ‘pharming’, which lures users to fake sites.[1] Since pharming effectively entices a user to believe the site is genuine, it is obviously vital for users to find a way to carefully verify the authenticity of a site. Service authentication, a type of mutual authentication technology combined with the international standard security protocol, would prevent such pharming attacks if properly administered by providing the identity credentials of the server to the client through securely encrypted communication. There have been several attempts within the community of IT security vendors and IAM providers to successfully incorporate the service authentication for more robust protection of the client-server communication.

Some known instances of service authentication

SSL certificate for web server

Secure Sockets Layer certificate refers to a set of data files that bind an encrypted public key to the organization's critical information.[2] The certificate must be installed first on a web server to ensure the secure communication. After the secure connection is established through installing the SSL certificate, users can safely conduct their transactions with the web service as the data transfer between the web server and the web browser is safely encrypted. Through this process, the user should be able to verify whether a site's connection is secure and authentic since the service provider authenticates its own authenticity first.

It is the web server authentication by the web browser and can protect against pharming since it guarantees users that they're not on a fake site.[3]

Personalized Image-based Service Verification

It is another standard service authentication technology that uses personalized images only known to the user to authenticate the identity of the service server. It is the same technology used in authenticating whether the user is a person or a computer (e.g. Image-based CAPTCHA).[4] A user first registers personalized multiple images on the server. During the user authentication process, the server pulls up a few images from the storage for the user to identify the service. The process repeats a few times to increase the accuracy. The correct identification by the user must be statistically close enough to be convinced of the validity of the server. It resembles the knowledge-based authentication (KBA) in that the knowledge of a user is the determining factor of service authentication. The human interaction plays a key role during the entire user authentication process.

QR code-based service authentication

QR codes, two-dimensional bar codes that can store an encrypted array of sensitive data, are used for users to instantly identify the server by using their smartphones. Just as a user log into a web site without needing to type in a user ID and password, the user scans a QR code generated on the PC to verify the server. It is secure and able to effectively protect from hacking threats as it uses a specific time session cookie and a shared secret between the server and the user's PC.[5] It is device-dependent technology. This service authentication methods needs a set of PC and a smartphone for it to work properly.

Human-Verifiable Service Authentication

It is the new service authentication technology that eliminated the need to type in a user password and replaced the conventional machine-to-machine service authentication with human interaction and trust. The human interaction plays a major role as users visually verify the authenticity of service through identifying the code generated by server on their smartphones. The code generated by the service server is challenge and response-based one time password and has a specific seed value from binding complex session values to the user credentials.[6] Users can expect to engage in the secure communication with the service server since the service itself generates and provides its credentials to the user first. It is especially effective in protecting users from pharming attacks.

See also

References

  1. ""Online fraud: pharming"". https://us.norton.com/cybercrime-pharming. 
  2. "What is an SSL Certificate?". https://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate/. 
  3. ""OPTIMIZE AND SECURE YOUR WEBSITE: Everything You Need to Know About SSL Certificates"". https://www.verisign.com/en_US/website-presence/website-optimization/ssl-certificates/index.xhtml. 
  4. Luis von Ahn, Ben Maurer, Colin McMillen, David Abraham and Manuel Blum. “reCAPTCHA: Human-Based Character Recognition via Web Security Measures”. In Science.
  5. Potoczny-Jones, Isaac (January 5, 2011). ""Quick authentication using mobile devices and QR Codes"". GALOIS, INC. https://galois.com/blog/2011/01/quick-authentication-using-mobile-devices-and-qr-codes. 
  6. Kenneth G. Paterson, Douglas Stebila, “One-time-password-authenticated key exchange”. September 4, 2009.

External links