Sedici

Secure digital credentials
Summary: 

“SeDiCi” is our new online unique authentication service that allows authenticating users in such a way that a password never leaves the user’s browser and the verifier is not able to impersonate the user.

DERI Product Ref: 
DERI-P0017
Problem Description: 
Each time a web-application provides authentication, both login and password details are sent. In most cases the credentials are transferred from a client to a server using HTTP.

 

Classical authentication process
 
Although for security reasons, in most of existing solutions, the credentials are not stored on the servers in their plaintext form, they are given to the servers in a readable form during the authentication procedure. It gives servers the unlimited control over the user identity. This is a serious privacy problem.

 

For commercial software such as banking and on-line shopping, developers use asymmetric cryptography communication protocols, for instance, HTTPS. This protocol sets up a secure connection but the credentials are still sent. Hence, it presents an opportunity for phishing attacks. Phishing is an attempt to masquerade a trustworthy entity to obtain customers’ credentials, such as usernames, passwords, credit card numbers, etc. Public key encryption solves the problem partially because users are required to provide public and private key-pairs or digital certificates. Users, however, are
accustomed to logins with passwords that are easy to remember and convenient to use. Installing a certificate to a web browser is still prone to various attacks including phishing.
 

SeDiCi authentication process

Solution Description: 

To provide security, SeDiCi uses a fast and lightweight userid/password login model based on zero knowledge proof (ZKP). Such an authentication approach is considered to be the most secure way of proving identity. Our work demonstrates that this has been infeasible until now due to its specific requirements: asynchronous communication and computational requirements for user's browsers. However, the advent of AJAX Web 2.0 technologies coupled with a novel method of implementing Zero Knowledge Proof proves the feasibility of such an approach now.

Commercialisation contact: 
Patrick Mulrooney
Designated Expert: 
Patrick Mulrooney
Projects: 
Líon 2
Funding Agencies: 
Science Foundation Ireland