Authentication without Keys?

hi,
Is there any way to Authenticate without keys(Symmetric or Asymmetric) or Certificates? if there is , can we do it in Java?
Thanks
Gaurav

You can authenticate with user ID and password. You can do this in Java. You can use the capabilities of the J2EE container so that you don't have to hard code information in the programs. (This is covered in my latest book, "Enterprise Java Security," published by Addison-Wesley), but you can find other resource online too.
Regards,
Marco Pistoia

What when you have Authenticate for the first time , you dont have a user id or anything.
Gaurav

Even there are no user id and password, the system can still using other means for authentication. We can use IP as the authentication.
For example, your system only allows company A and B to connect, and you know, the domain of IP address are 146.8 and 147.8. Thus, you can:
1. limit the access by the firewall, by filtering the request to the server that are NOT using the 2 IP address.
2. Write your programs such that it checks the IP address of the request, it the IP does not match the one you expected, throws an UnexpectedIPException.
Nick
[ April 21, 2004: Message edited by: Nicholas Cheung ]

fairly difficult to use IP adresses for authentication since as a user you are not always getting a fixed IP address. Therefore you can have a specific IP adress blocked, that is true, but you cannot depend on that same mechanism to authenticate someone today, since he may have a different IP address tomorrow.
Also some companies have only one external IP address and you may want to block someone with that IP, but not the other with the same IP.

fairly difficult to use IP adresses for authentication since as a user you are not always getting a fixed IP address. Therefore you can have a specific IP adress blocked, that is true, but you cannot depend on that same mechanism to authenticate someone today, since he may have a different IP address tomorrow.

IP addresses are dynamic, but NOT the domain address.
For example, if you have a class C address, among the 4 IP digits: (w.x.y.z), (w, x) will be the network (domain) addresses, while (y, z) are the subnet addresses.
The change in IP can only change in (y, z), but NOT (w, x) since the domain address is assigned to you, becos the DHCP server cannot assign you a IP address that are not in its domain (or it can assign to you, but you cannot talk with the LAN computers).
Of course, for Internet use, this approach does not work, because different ISP using different domain address. But for internal use, like E-library in University, you must obtain a IP (via dialup) from the University, and only such IP prefix can access the data in the library system. You just try to block those people that are not the students in the university.
This mechanism can also be used for server-to-server authentication. For bank A's back office system wanna access the one in bank B's, since the domain address of B must be, say, (a.b), hackers cannot connect to bank A's system using domain (e,f) unless it hacks into bank B's system and use the networked computer to connect.

Also some companies have only one external IP address and you may want to block someone with that IP, but not the other with the same IP.

As said, it depends on the usage. In such issues, you must use PKI or Password-based authentication.
In fact, each measurement has its own strength or weakness in applications. In some cases, even PKI is not a good way. Consider when only 1 certificate is issued to 1 company, while, in fact, there are more than 1 staff that need to decrypt the confidential info for processing. If more than 1 staff knows the private key, this may also cause vulerabilities.
Nick