Wednesday, May 9, 2012

An authentication system for mobile devices.

I was re-reading "Designing an Authentication Systems" (http://web.mit.edu/kerberos/dialogue.html), written in 1988, and though it was a great paper, and has influenced me heavily, there is another paper that had a deeper impact on my thoughts, "Programming Satan's Computer" (http://www.cl.cam.ac.uk/~rja14/Papers/satan.pdf), and, in this age of mobile devices, better authentication systems becomes more important, due to the increase in the number of smartphones.

So, I will be designing out my solution, using ideas from both of these papers, hopefully to show a system that is flexible enough for real use, secure enough for paranoid companies, and yet useful for the end-user.

So, my first thought is that I don't really want a central repository to know my password, so a secure one-way hash of my password is acceptable in this system, but, as we go on even this may become more secure, and it may involve a zero-knowledge password authentication system (http://ojs.pythonpapers.org/index.php/tppm/article/view/155/142), so we can convince a system that we have the password, without actually sharing the password.

So, the situation is that we have a smartphone, and we want to connect with various systems, and each system may have separate security requirements that the device is not aware of, but, the companies that manage the network decided that Eastern European hackers are great sysadmins, and North Korea is where some of the servers are located, so, this could be considered a hostile environment, but in spite of these issues we want our credit card information and passwords protected, and the companies we are using the services of, on the inside of their firewalls, want to ensure that only those that should be authorized can use the services.

I will deal with the problems of doing online voting using smartphones in a separate series of posts, as there are additional requirements and risks that need to be addressed.

No comments: