A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
| Hi-index | 0.00 |
We introduce a new authentication scheme that is intended to be used on electronic commerce (EC) sites, which do not require strict user authentication but need user identification. That is, the EC sites judge whether a user is the same person who visited the site before. We designed our scheme to be as simple and lightweight as possible, for example, we do not assume the existence of trusted third parties (TTPs), e.g. CAs, which are not necessarily needed to identify users. We noticed that password-based authentication has a property that enables EC sites to confirm that there was an interaction with the user. This can be used to show that the user confirmed some agreement. This confirmation of agreement is sometimes important for EC sites. Our scheme can change how to combine password-based authentication and public-key-based authentication by its authentication policy, such as required security level and necessity of confirmation of agreement.