7

Example:

  • Bob generates a key pair for this example.

  • Bob registers at example dot com where he provides his public key.

  • When Bob will try to log in, example dot com will ask him to sign a random string of a few characters with his private key.

    • If the signature is successfully verified, it is indeed Bob (or Alice who stole Bob's private key, eh what can you do?) and access will be granted.

This sounds so simple. Why has this not been done before?

gxtaillon
  • 183
  • 4
  • Probably because authentication systems using client key-pairs want more security than that provides. –  Nov 05 '14 at 11:06
  • It's an infrastructure problem. There's no "dumb user" interface or client to make it quick and easy to generate key pairs. And almost no one uses them as a means for authenticating. Until the demand is there, the supply won't be there. – RoraΖ Nov 05 '14 at 12:35
  • @RickyDemer Could you elaborate on that? How could "more" security be provided? – gxtaillon Nov 05 '14 at 23:55
  • The system could be such that compromising the server's private key neither suffices for MitM nor suffices for replay attacks. –  Nov 06 '14 at 03:19
  • 1
    Except for PGP specifics, this is one option in SSH. The client's publickey is preconfigured on the server, for openssh usually in `~user/.ssh/authorized_keys`, and at connect/login the client uses its privatekey to sign data depending on a server nonce. – dave_thompson_085 Nov 06 '14 at 09:09
  • Related: [Is it possible to use a GPG or SSH key for web based authentication in a secure fashion?](http://security.stackexchange.com/q/44004/12139) – unor Nov 19 '14 at 11:07

1 Answers1

4

It's a chicken/egg problem.

Few people have PGP installed, so nobody builds systems which expect people to be able and willing to use it.

There are few systems which expect people to be able and willing to use PGP, so few people feel the need to install PGP.

However, what you see quite frequently in the wild are authentication systems based on X.509 certificates. It's rare for systems targeted at consumers, but for systems targeted at IT professionals it is quite common. And yes, it even works for websites.

Community
  • 1
Philipp
  • 48,867
  • 8
  • 127
  • 157