When I was working on a project a long time ago, I had implemented a zero knowledge Login module for the Sun Java Systems Access Manager (formerly known as identity server). Here I find myself again trying to advocate the use of zero knowledge password authentication techniques for web aplications and am having to explain and provide information to all those folks who are not aware of this authentication method. Well, I thought that it would be good to post a small blog on the same subject with links to all those resources online which can give you a pretty good idea of what zero knowledge password protocol (ZKPP) is all about.
In short: a zero-knowledge proof is an interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than the veracity of the statement. A zero-knowledge proof must satisfy three properties:Phoenix Systems has a product called SPEKE (simple password-authenticated exponential key exchange) which uses this technology. For those who would like to obtain an off the shelf product that emabled zero knowledge password protocol authentication SPEKE is a good start. Wikipedia has a very good explanation on ZKPP. This paper on Secure Login Protocols is another good resource for learning more about ZKPP. Hannu A. Aronsson from the Helsinki University of Technology also has a very nice paper on Zero Knowledge Protocols and Small Systems. Thomas Wu from Stanford University has a paper on The Secure Remote Password Protocol which gives a very nice background of the framework and the logistics behind implementing a ZKPP authentication structure.The first two of these are properties of more general interactive proof systems. The third is what makes the proof zero knowledge.
- Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover.
- Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.
- Zero knowledgeness: if the statement is true, no cheating verifier learns anything other than this fact. This is formalized by showing that every cheating verifier has some simulator that, given only the statement to be proven (and no access to the prover), can produce a transcript that "looks like" an interaction between the honest prover and the cheating verifier.
Stanford University SRP Authentication Project hosts a JavaScript based DEMO of the Secure Remote Password Protocol.RSA Security has a nice writeup by example on how the ZKPP system works. For those seeking ore information on ZKPP, Google the term and you'd find volumes of information on the subject.I RECOMMEND THIS DEMO TO ALL READERS OF THIS BLOG
& Hey !! The ZKPP Authentication Module atop the Sun Java Systems Access Manager, would make your network more than just comply with the term "SECURE"