Re: Mutual Authentication scheme

[Nick Owen <nickowen () mindspring com>]

Danny wrote:
> I am developing a web solution for the company that I work for and would
> like to have as much security as possible. SSL only authenticates the
> server to the client and I would like a way to authenticate both parties
> to each other. Any ideas/suggestions?
>
> BTW: I will be using Apache 1.3.29 w/ mod_ssl, and OpenSSL v0.9.7
> running on OpenBSD 4.0
>
> Thanks,
> Danny

Danny:

Not sure if you want two-factor authentication as part of that, but both
our open source and commercial versions include mutual authentication.

The server stores a copy of the web site's ssl cert and sends a hash of
it to the token client along with the URL when an OTP is requested. The
token client goes out through the user's internet connection to the URL,
grabs the cert, hashes it and compares the two. If the hashes match, the
user is given the OTP and the default browser is launched to the correct
SSL website. On the downside, it means software on the client.

Hope that helps and is not too spammy.

http://www.wikidsystems.com
https://sourceforge.net/projects/wikid-twofactor/

Nick

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen