e-Authentication Methods
Public-Key Authentication
Public-key cryptography provides an authentication method that uses a key pair, a private key and a public key. A private key is known to the user only and is never shared with any other server or user. A public key is recognized by a public-key certificate issued by a Certification Authority and is available to any user or server.
Public-key authentication can be implemented as a hardware or software token under different situations. As a soft token, the private key is stored in the keystore of the operating system or as an encrypted file in a data storage device. Some implementations will store the private key in a hard token (such as a smart card) and the possession of the token is mandatory in the authentication process. Since the private key cannot be exported from the hard token (i.e. there will only be one copy of the key), lost of the key can be more easily detected and remedied. The activation of the token will need the entry of a password or biometrics which can verify the legitimate user.
It should be noted that public-key solutions can also provide an additional security protection using 'digital signature' for the critical transaction. By digitally signing the submitted data, the integrity and non-repudiation aspects (in addition to authenticity) of the transaction can be alleviated.
|