Shared Secret
Shared secret authentication is where each entity has a secret, such as a password, that is shared with the authentication system. Proof that the entity holds the secret can take one of the following forms.
• | The secret is sent from the entity to the verifier. Web browsers using the basic authentication web paradigm use this method. It is not very secure, as it is possible to impersonate the entity. More security can be added by encrypting the conversation. |
• | The secret is used to encrypt a commonly-known piece of data. The encrypted data is then sent to the authentication system, which then verifies the identity of the sender by performing its own data encryption and comparing the result with the sender’s data. |
• | A “challenge-response” protocol is used, wherein the verifier provides a piece of randomly-generated data, which the sending entity encrypts using the shared secret. The entity sends back the encrypted data, which the verifier then compares with its own version. If they match, the verifier accepts that the entity is who it claims it is. |