Chapter 6. Authentication
The first challenge of building a secure application is authentication . Let’s look at some examples of authentication from everyday life:
At an automated bank machine, you identify yourself using your bank card. You authenticate yourself using a personal identification number (PIN). The PIN is a shared secret, something that both you and the bank know. Presumably, you and the bank are the only ones who know this number.
When you use a credit card, you identify yourself with the card. You authenticate yourself with your signature. Most store clerks never check the signature; in this situation, possession of the card is authentication enough. This is true when you order something over the telephone, as well; simply knowing the credit card number is proof of your identity.
When you rent a movie at a video store, you prove your identity with a card or by saying your telephone number.
Authentication is tremendously important in computer applications. The program or person you communicate with may be in the next room or on another continent; you have none of the usual visual or aural clues that are helpful in everyday transactions. Public key cryptography offers some powerful tools for proving identity.
In this chapter, I’ll describe three cryptographic concepts that are useful for authentication:
Message digests produce a small “fingerprint” of a larger set of data.
Digital signatures can be used to prove the integrity of data.
Certificates are used as cryptographically ...