When you fill out a registration form to take advantage of a web service, a virtual personal profile is generated, creating your own IT identity characterized by specific attributes.
Even those who must manage and provide this service must have their own digital identity. In this way, an interaction between the virtual identities of the customer and the supplier is established.
The service management system, before granting the interlocutor access to the resources, will have to start an identification process to verify the correspondence of the specific identity attributes in compliance with the fundamental protection parameters for IT security: confidentiality and integrity of information, interlocutors authentication and authorization of access to relevant resources.
The confidentiality of information in internet communications
Internet communications use the protocol called TCP/IP (Transmission Control Protocol/Internet Protocol), which allows information to be transmitted from one computer to another through a series of intermediate computers and networks.
Without measures of prevention, a stranger to computer communications could interfere through “man in the middle” type interceptions.
In this regard, the HTTPS protocol has been implemented from the very beginning in an attempt to avert this threat, not completely eradicated, through public key cryptography techniques.
The most common algorithms are those patented by RSA Data Security: This algorithm, also called asymmetric key cryptography, provides a pair of keys (a public and private key) associated with an entity that authenticates the identity of the key itself.
Cryptography alone, while solving the problem of confidentiality violation, cannot solve the problem of integrity and false authentication.
The hash function
Hash encryption is used to ensure integrity and authentication. The hash functions are implemented according to the following features:
The digital signature is basically based on the use of a hash algorithm.
In a tipical network correspondence, the elements sent to the recipient are the original document in clear text and the hash value of the original document, encrypted with the private key of the signatory (digital signature). To verify the integrity of the information, the receiving software, decrypts the digital signature with the signatory’s public key, obtains the hash value of the signatory and generates with the same algorithm a new hash from the original document received. Two different hash values indicate that the information has been altered or the digital signature has been created with a private key that does not match the signer’s public key.
Mutual authentication of interlocutors
When perform authentication in a network communication where a client (e.g. a browser) dialogues with the various remote servers providing services, it is very important the mutual authentication between the user and the service provider. There are several ways to do this:
Critical issues about different authentication modes
By comparing these authentication modes you can see that:
The final step
The next step in verifying the identity and computer authentication of a user is the authorization through which the computer system specifies the access privileges to resources, deciding whether to approve or reject requests.
Defending and protecting your information assets and your digital reputation must therefore be a key point to better manage every business activity, taking all necessary actions:
About the author: Salvatore Lombardo
IT officer, ICT expert, Clusit member
(SecurityAffairs – hacking, computer identity)