Re: Why couldn't Public keys replace Passwords on the Internet?

From: Aaron Dodd (aaron@aarondodd.com)
Date: 01/24/03 

From: "Aaron Dodd" <aaron@aarondodd.com>
Date: Fri, 24 Jan 2003 12:36:50 -0500

On Fri, 24 Jan 2003 11:19:00 +0000, Karl Levinson [x y] mvp wrote:

> First, I'd think you'd need a cert authority,

Not really. This would be more analogous to using a public/private
key-pair for authenticating an SSH session. The private key doesn't
garantee you're John Doe, per se, so much as it garantees you're the
person that created the account/password on the target website.

> Storage of the private key on the client instead of the server and
> relying on the client to authenticate the user seems like a step
> backwards instead of forwards to me, certainly you'd need to do it
> carefully to store the private key securely. At a minimum, I would
> think that each web site would have different requirements for the level
> of authentication security, and with this scheme they'd have no control
> over this.

I think you're confusing the suggestion a little. The site wouldn't store
the private key at all, so there'd be no issue with the security of the
private key (from the server's standpoint). All the server would need to
do is store the public-key/challenge phrase.

The site would then provide this information to the client/browser and
it'd be up to the client/browser to determin if the challenge correctly
matches the private key.

Private-key management would be no more difficult than the current
password/form info storage most browsers provide.

Relevant Pages

  • Re: Basics of key authentication
    ... so everything I've read basically tells me the client creates a public ... The public key gets copied to the server, ... and the client decrypts it with its private key to prove he is who he ... > public/private keys between client and server? ...
    (comp.security.ssh)
  • Re: Why couldnt Public keys replace Passwords on the Internet?
    ... This would be more analogous to using a public/private ... key-pair for authenticating an SSH session. ... The private key doesn't ... > instead of the server and relying on the client to authenticate the user ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Why couldnt Public keys replace Passwords on the Internet?
    ... This would be more analogous to using a public/private ... key-pair for authenticating an SSH session. ... The private key doesn't ... > relying on the client to authenticate the user seems like a step ...
    (microsoft.public.win2000.security)
  • Re: Why couldnt Public keys replace Passwords on the Internet?
    ... This would be more analogous to using a public/private ... key-pair for authenticating an SSH session. ... The private key doesn't ... > instead of the server and relying on the client to authenticate the user ...
    (microsoft.public.win2000.security)
  • RE: SSL and IPS (was RE: ssh and ids)
    ... need is the private key of one party (provided here by key escrow, ... > session key, they still won't have the next session key. ... > cryptography here, folks... ... >> key for client certs too. ...
    (Focus-IDS)