Authentication

At some fundamental level, you want to be sure that the people you deal with are really who they say they are. The process of proving identity is called authentication.

When you call someone on the telephone, you identify yourself by saying your name. The sound of your voice authenticates you to the person on the other end of the line. When you use an automated bank machine, your bank card identifies you and your secret code authenticates you. Someone else using your bank card would presumably not know your code and thus could not pretend to be you.

Most computer systems use a user ID and password combination for identity and authentication. You identify yourself using a user ID and authenticate your identity with a password.

An asymmetric cipher can be used for authentication. Suppose Marian encrypts her schedule file using her private key. When Robin Hood downloads Marian’s schedule file, he decrypts it using her public key. He can be sure that the file is from Marian because only Marian’s private key could have encrypted the file in the first place.

Asymmetric ciphers are computationally expensive, a nice computer science synonym for slow. Unfortunately, it’s not practical to use an asymmetric cipher for entire conversations. Typically, an asymmetric cipher is used to authenticate the participants of a conversation; the conversation itself is encrypted with a symmetric cipher, using a special one-time key called a session key. Now the challenge is exchanging the session ...

Get Java Cryptography now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.