1.3.2. Authentication Confirms an Identity

Authentication is the process of confirming an identity. For network interactions, authentication involves the identification of one party by another party. There are many ways to use authentication over networks. Certificates are one of those way.
Network interactions typically take place between a client, such as a web browser, and a server. Client authentication refers to the identification of a client (the person assumed to be using the software) by a server. Server authentication refers to the identification of a server (the organization assumed to be running the server at the network address) by a client.
Client and server authentication are not the only forms of authentication that certificates support. For example, the digital signature on an email message, combined with the certificate that identifies the sender, can authenticate the sender of the message. Similarly, a digital signature on an HTML form, combined with a certificate that identifies the signer, can provide evidence that the person identified by that certificate agreed to the contents of the form. In addition to authentication, the digital signature in both cases ensures a degree of nonrepudiation; a digital signature makes it difficult for the signer to claim later not to have sent the email or the form.
Client authentication is an essential element of network security within most intranets or extranets. There are two main forms of client authentication:
  • Password-based authentication . Almost all server software permits client authentication by requiring a recognized name and password before granting access to the server.
  • Certificate-based authentication . Client authentication based on certificates is part of the SSL protocol. The client digitally signs a randomly generated piece of data and sends both the certificate and the signed data across the network. The server validates the signature and confirms the validity of the certificate.

1.3.2.1. Password-Based Authentication

Figure 1.4, “Using a Password to Authenticate a Client to a Server” shows the process of authenticating a user using a username and password. This example assumes the following:
  • The user has already trusted the server, either without authentication or on the basis of server authentication over SSL.
  • The user has requested a resource controlled by the server.
  • The server requires client authentication before permitting access to the requested resource.
Using a Password to Authenticate a Client to a Server

Figure 1.4. Using a Password to Authenticate a Client to a Server


These are the steps in this authentication process:
  1. When the server requests authentication from the client, the client displays a dialog box requesting the username and password for that server.
  2. The client sends the name and password across the network, either in plain text or over an encrypted SSL connection.
  3. The server looks up the name and password in its local password database and, if they match, accepts them as evidence authenticating the user's identity.
  4. The server determines whether the identified user is permitted to access the requested resource and, if so, allows the client to access it.
With this arrangement, the user must supply a new password for each server accessed, and the administrator must keep track of the name and password for each user.