[Courses] zero-knowledge national ID system
Jp Calderone
kuran42 at yahoo.com
Thu Mar 21 17:14:31 EST 2002
IIRC, zero knowledge goes like this:
Authenticatee ("Client") requests authentication from
Authenticator ("Server").
Server uses authentication data the only the real
individual the Client is claiming to be could know to
encrypt some random data, then sends the encrypted
data to Client.
Client receives encrypted random number and decrypts
it, using information only the real individual the Client is
claiming to be could know. Decrypted information is sent
back to Server.
If decrypted information equals original unencrypted information,
Server authenticates the Client.
It is called "zero-knowledge" because, as you can see, the
information that identifies the individual as themself is never
transmitted. I believe this is roughly the protocol that SSH uses,
to avoid exposing keys to possible capture.
Katie Bechtold wrote:
>I have a question that is security-related, although it isn't
>exactly related to what we've been discussing. I just read the term
>"zero-knowledge national identifier system" mentioned on another
>mailing list (the sg-dc, or Security Geeks D.C. list). Do any of
>you know what that means? I tried googling on that phrase, but I
>basically just got a bunch of references to the company
>Zero-Knowledge Systems. (I'm asking here because I'd be embarrassed
>to show my cluelessness on the mostly-male sg-dc list.)
>
More information about the Courses
mailing list