Open authentication systems for the Web
| DOI | https://doi.org/10.1108/eb040689 |
| Date | 01 March 1998 |
| Pages | 9-15 |
| Published date | 01 March 1998 |
| Author | Brian Kelly,Peter Lister |
| Subject Matter | Information & knowledge management |
Open authentication
systems for the Web
by Brian Kelly, UK Web Focus, UKOLN,
University of Bath and Peter Lister,
Computer Centre, Cranfield University
The rapid growth in Internet services has led
to a demand for scaleable authentication
systems to restrict access to licensed services
(such as bibliographical
services,
databases,
etc.) to authorised
users.
An increasing
number of proprietary applications which
provide authentication services are available.
However such applications may only provide
an interim solution, until authentication
services based on open protocols are
available. This article reviews developments to
such open authentication protocols.
Background
The World Wide Web became popular during the
mid 1990s as a means of accessing freely-available
information on the Internet. As the Web grew in
popularity and sophistication it began to be used to
provide information within closed communities
such as members of an organisation (the term
Intranet was coined to describe this type of usage)
and restricted access to resources within closed
communities (sometimes the term Extranet is used
in this context).
Initially access was restricted using the web
server's authentication system based on usernames
and passwords. However, as anyone who has had
difficulties in remembering their PIN number for
ATMs, burglar alarms, mobile phones, etc. will
know, this is not a scaleable solution as there is a
limit to the number of username and password
combinations people will be prepared to memorise.
Solutions such as restricting access based on the
computer's IP number also have limitations. The
use of
IP
numbers as a means of authentication is
likely to become more difficult in the light of
developments such as increased use of proxy
servers and dynamic IP allocation and the dangers
of "IP spoofing.
A third way of managing access to resources is
through the use of third-party proprietary applica-
tions.
A wide range of products, such as Hand's
Password Protection Web Software1, and
Banyan's SiteMinder2 and Intranet Protect3 are
available. Many of these products have been
developed for the Intranet. A more ambitious
attempt has been made in Athens4. Athens has
been developed by NISS as a means of providing
a unified authentication system to nationally
provided data sets using a system based on the
Sybase database software.
However the use of proprietary applications to
provide authentication services have a number of
limitations:
• They are often restricted to authenticating
users and cannot be used for authentication
of the service or software.
• Being based on a proprietary application,
rather than open protocols, they can lock the
user into the application vendor, with the
inherent dangers of changes in licensing
arrangements, company takeovers, etc.
• They may fail to provide richer functionality
provided by products developed in a wider
marketplace.
This paper reviews the use of open systems based
on digital signatures, certificates and certification
authorities for providing a range of authentication
services.
Authentication examples
Let us begin by describing a variety of examples in
which some form of authentication is required
within the UK Higher Education Community.
1.
Authentication of the sender of
an
email
message:
For example an email message is sent
apparently from a lecturer saying that
lectures have been cancelled.
2.
Authentication of mobile code:
For example a distributed teaching and
learning application has been developed
using ActiveX (or Java). The code needs to
be authenticated to prevent the display of
unnecessary dialogue boxes warning of the
dangers of running software from untrusted
sources.
VINE 112
— 9
To continue reading
Request your trial