30 Jul 2015 - Zero Knowledge Authentication

The Zero Knowledge Proof (ZKP) authentication protocol is used in cryptography to allow a party to prove that he/she knows something (e.g. a credential), without having to transmit this credential. There are two parties involved in ZKP; the prover A and the verifier B, where ZKP enables a “prover” to show that they have the credential (ie, credit card number or password), without having to give the “verifier” the credential details. With ZKP there is no transmission or storage of password /credential details on the authentication server. ZKP delivers the following benefits:

• Zero-Knowledge: if the statement is true, the verifier will not know anything other than that the statement is true. Information about the details of the statement will not be revealed.
• Completeness: If the statement is true, the honest verifier (that is one following the protocol properly) will be able to prove that the statement is true every time.
• Soundness: if the statement is false, it is almost impossible to an astronomically small chance that someone could fake the result to the verifier that the statement is true.

The transformation of user engagement with digital services in recent years has created significant vulnerabilities in the security and management of users’ private information. Traditional ways of authenticating a user have highlighted many flaws where a user’s private information can be stolen and exploited creating significant implications of serious financial / reputational consequences to the users and holder of this data. Much of recent data compromises have been from vulnerabilities in integrated third party systems where the password or validated process was stored or transmitted, thus highlighting the need for new authentication methods in changing digital environments. Such factors include:

• The increasing use of web applications and how users engage online
• Issues relating to the security of web applications such as cross-site scripting and password sniffing, exposing users to identity theft and loss of their personal, financial and private data
• Current login processes highlight inherent problems such as:
  • Insecure wireless networks create vulnerabilities for both the user and company such as password sniffing, replay, interleaving, reflection, forced delay and “man-in-the-middle” attacks.
  • Insecure 3G network attributes in the 128-bit A5/3 encryption have identified algorithmic flaws, making it susceptible to attacks, similar to unsecured wireless access points
  • The transmission of password hashes creates vulnerabilities for hackers to login and masquerade as legitimate users (causing a bigger issue when the same password is used across multiple applications).

The Sedicii Zero-Knowledge Authentication (ZKA) is based on the proven ZKP protocol to enable secure login without the transmission and storage of private user data. The Sedicii Authentication process is protected by US patent 8,411,854. Within the Sedicii ZKP Authentication process, the following applies:

• At no point does the user send the private information to the Verifier, which means that with Sedicii ZKA, the private user data is not transmitted or stored anywhere. As no private data is transmitted, any information being obtained during transmission is of no value for hackers to commit fraud.
• The Sedicii authentication is carried out 20, 30, or more times against a combination of permutations and each permutation used is not repeated in subsequent authentications.
• With the Sedicii implementation, the permutation information used is only valid once and within a time limit to prevent replay and brute force attacks.

Sedicii ZKA has benefits over other authentication systems due to the fact that there is no additional hardware required and works in a normal web client-server application. The Sedicii technology uses standard features in HTML 5, which eliminates the need for a browser plug-in. When a user logs in to a Sedicii enabled Identity Verification Server or Authentication Server, a series of mathematical challenges are sent to the user’s browser from the server that requires responses. The information is authenticated only when all of the challenges are responded to correctly by the user’s browser. A different set of challenges are presented for each new verification attempt. The same methodology can be applied to multiple types of private information such as credit card payment authorisations so that actual card details need never be transmitted over the web.

Sedicii’s new and innovative method of authenticating users without storing, sharing or exposing the users private information has won recognition with international awards from government, banking and data security organisations, including British Telecom, EY, The European Union’s Horizon 2020 program, BBVA, Swift and others.

Tags: authentication, biometrics, security, Sedicii, two factor, zero knowledge proof