Security Basics mailing list archives
Re: Mutual Authentication scheme
From: Nick Owen <nickowen () mindspring com>
Date: Fri, 09 Mar 2007 15:41:42 -0500
Danny wrote:
I am developing a web solution for the company that I work for and would like to have as much security as possible. SSL only authenticates the server to the client and I would like a way to authenticate both parties to each other. Any ideas/suggestions? BTW: I will be using Apache 1.3.29 w/ mod_ssl, and OpenSSL v0.9.7 running on OpenBSD 4.0 Thanks, Danny
Danny: Not sure if you want two-factor authentication as part of that, but both our open source and commercial versions include mutual authentication. The server stores a copy of the web site's ssl cert and sends a hash of it to the token client along with the URL when an OTP is requested. The token client goes out through the user's internet connection to the URL, grabs the cert, hashes it and compares the two. If the hashes match, the user is given the OTP and the default browser is launched to the correct SSL website. On the downside, it means software on the client. Hope that helps and is not too spammy. http://www.wikidsystems.com https://sourceforge.net/projects/wikid-twofactor/ Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen
Current thread:
- Mutual Authentication scheme Danny (Mar 09)
- Re: Mutual Authentication scheme Nick Owen (Mar 09)
- Re: Mutual Authentication scheme Devdas Bhagat (Mar 12)