Ho do I present custom evidence of authentication to a server?
From: Danny van Kasteel (Kasteel_at_discussions.microsoft.com)
Date: 06/29/04
- Next message: Graham: "Code Access Security best practice"
- Previous message: /kim/birkelund/aka/sekhmet: "Re: Permissions granted based on assembly and user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Jun 2004 05:33:01 -0700
Hi,
First off, I'm developing a multi-tier application framework.
I'm trying to have client applications perform authentication using a biometrics device (or any other method that does not check my login server for credentials).
The problem after the authentication succeeds, is that the client now may be fully aware of the legitimacy of the user, but the server needs to be notified of this as well. So how do I present evidence of this fact to the server, i.e. say to the server "Joe here has been authenticated using biometrics, so please add a biometrics authorization to his session"?
The problem is that I'm communicating to the server under the assumption that the user may be hostile. (i.e. an attacker could be trying to trick the server into believing he was fingerprint-authenticated when he never was).
So the real question is: how can I verify that a message the server is receiving is actual PROOF of the successful authentication?
Many thanks in advance,
Danny van Kasteel
- Next message: Graham: "Code Access Security best practice"
- Previous message: /kim/birkelund/aka/sekhmet: "Re: Permissions granted based on assembly and user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
