Authentication protocols


Qauth

is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.

Generally, OAuth provides to clients a “secure delegated access” to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.

SAML

 is an open standard for exchanging authentication and authorisztion data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions . SAML is also:

  • A set of XML-based protocol messages
  • A set of protocol message bindings
  • A set of profiles (utilizing all of the above)

The single most important use case that SAML addresses is web browser single sign-on (SSO). Single sign-on is relatively easy to accomplish within a security domain but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability.

Key verification

each user’s account is ultimately bound to their signature key pair: Identity Keys. Such Identity Keys consist of a matching public and private key. The latter is used to produce digital signatures and the former can then be used to verify those signatures. When you add someone to your contact list, your  client immediately obtains the public part of the senders identity keys from the server and stores it locally. All subsequent communication to come from that contact can now be authenticated by checking that the received message was digitally signed using the contact’s identity keys.

However, in practice we all are usually interested in communicating with a particular person, not just anybody who controls a particular set of identity keys. In other words somehow key verification, guarantees that all communication from a sender was really produced by the senders keys, it is equally important to ensure that the person using those keys is really who we think they are. Making that connection between identity keys and the actual person behind them is what is sometimes called key verification.

Two way TLS/SSL

refers to two parties authenticating each other at the same time, being a default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS). By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer. TLS also offers client-to-server authentication using client-side X.509 authentication but this requires provisioning of the certificates to the clients.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s