Google
 
   
Login
Username:

Password:


Lost Password?

Register now!
Search

Advanced Search
Main Menu
top books
Polls
What do you think about php-deluxe.net?
Excellent!
Cool
Hmm..not bad
What the hell is this?
encyclopedia
Sudo
Computer literacy
Kahakai
Camelot Software Planning
Instant messaging
Peregrine Systems
Broadband telephony
recommendation
compare webbrowser
Freenet DSL
Who's Online
10 user(s) are online (10 user(s) are browsing encyclopedia)

Members: 0
Guests: 10

more...
browser tip
Unix Befehle
manual of unix befehle
recommendation!
Sponsored
partner

Closed-loop authentication

=Closed-loop Authentication=

Closed-loop authentication, as applied to Computer_network communication, refers to a mechanism whereby one party verifies the purported Digital_identity of another party by requiring them to supply a copy of a Token transmitted to the canonical or trusted point of contact for that identity. It is also sometimes used to refer to a system of mutual authentication whereby two parties authenticate one another by signing and passing back and forth a cryptographically signed nonce, each party demonstrating to the other that they control the Secret_key used to certify their identity.

==E-mail Authentication==

When applied applied specifically to email, closed loop authentication refers to a technique for validating that a person claiming to possess a particular email address actually does so. This is normally done by sending an email containing a nonce to the address, and requiring that the party being authenticated supply that nonce before the authentication proceeds. The email containing the nonce is usually worded so as to explain the situation to the recipient and discourage them from supplying the nonce (often via visiting a URL) unless they in fact were attempting to authenticate.

For example, suppose that one party, Alice, operates a website on which visitors can make accounts to participate or gain access to content. Another party, Bob, comes to that website and makes an account. Bob supplies an email address at which he can be contacted, but Alice does not yet know that Bob is being truthful (consciously or not) about the address. Alice sends a nonce to Bob s email address an authentication request, asking Bob to click on a particular URL if and only if the recipient of the mail was making an account on Alice s website. Bob receives the mail and clicks the URL, demonstrating to Alice that he controls the email address he claimed to have. If instead a hostile party, Chuck, were to visit Alice s website attempting to masquerade as Bob, he would be unable to register for an account because the confirmation would be sent to Bob s email address, which Chuck does not control.

Closed-loop email authentication is useful for simple situations where one party wants to demonstrate control of an email address to another, as a weak form of identity verification. It is not a strong form of authentication in the face of host- or network-based attacks (where an imposter, Chuck, is able to intercept Bob s email, intercepting the nonce and thus masquerading as Bob.)

This degree of email authentication is considered by many Spam (electronic) advocates to be the minimum degree necessary for any Opt-in_e-mail_advertising email advertising or other ongoing email communication.

An alternate use of closed-loop email authentication is used by parties with a Secret_sharing relationship (for example, a website and someone with a password to an account on that website), where one party has lost or forgotten the secret and needs to be reminded. The party still holding the secret sends it to the other party at a trusted point of contact. The most common instance of this usage is the lost password feature of many websites, where an untrusted party may request that a copy of an account s password be sent by email, but only to the email address already associated with that account. A problem associated with this variation is the tendency of a naïve or inexperienced user to click on a URL if an email encourages them to do so. Most website authentication systems mitigate this by permitting unauthenticated password reminders or resets only by email to the account holder, but never allowing a user who does not possess a password to log in or specify a new one.

In some instances in web authentication, closed-loop authentication is employed before any access is granted to an identified user that would not be granted to an anonymous user. This may be because the nature of the relationship between the user and the website is one that holds some long-term value for one or both parties (enough to justify the increased effort and decreased reliability of the registration process.) It is also used in some cases by websites attempting to impede Internet bot registration as a prelude to spamming or other abusive activities.

Although closed-loop authentication (like other types) is an attempt to establish identity, it should be noted that this is not wholly incompatible with anonymity, if combined with a pseudonymity system in which the authenticated party has adequate confidence.

=See Also=

See for a list of all computing and information-security related articles .

  • Information Security
  • Authentication
  • Cryptography
    		•