Win a copy of Microservices Testing (Live Project) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

Authentication without Keys?

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi,
Is there any way to Authenticate without keys(Symmetric or Asymmetric) or Certificates? if there is , can we do it in Java?
Thanks
Gaurav
 
Author
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can authenticate with user ID and password. You can do this in Java. You can use the capabilities of the J2EE container so that you don't have to hard code information in the programs. (This is covered in my latest book, "Enterprise Java Security," published by Addison-Wesley), but you can find other resource online too.
Regards,
Marco Pistoia
 
Gaurav Mendiratta
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What when you have Authenticate for the first time , you dont have a user id or anything.
Gaurav
 
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Even there are no user id and password, the system can still using other means for authentication. We can use IP as the authentication.
For example, your system only allows company A and B to connect, and you know, the domain of IP address are 146.8 and 147.8. Thus, you can:
1. limit the access by the firewall, by filtering the request to the server that are NOT using the 2 IP address.
2. Write your programs such that it checks the IP address of the request, it the IP does not match the one you expected, throws an UnexpectedIPException.
Nick
[ April 21, 2004: Message edited by: Nicholas Cheung ]
 
Ranch Hand
Posts: 83
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
fairly difficult to use IP adresses for authentication since as a user you are not always getting a fixed IP address. Therefore you can have a specific IP adress blocked, that is true, but you cannot depend on that same mechanism to authenticate someone today, since he may have a different IP address tomorrow.
Also some companies have only one external IP address and you may want to block someone with that IP, but not the other with the same IP.
 
Nicholas Cheung
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


fairly difficult to use IP adresses for authentication since as a user you are not always getting a fixed IP address. Therefore you can have a specific IP adress blocked, that is true, but you cannot depend on that same mechanism to authenticate someone today, since he may have a different IP address tomorrow.


IP addresses are dynamic, but NOT the domain address.
For example, if you have a class C address, among the 4 IP digits: (w.x.y.z), (w, x) will be the network (domain) addresses, while (y, z) are the subnet addresses.
The change in IP can only change in (y, z), but NOT (w, x) since the domain address is assigned to you, becos the DHCP server cannot assign you a IP address that are not in its domain (or it can assign to you, but you cannot talk with the LAN computers).
Of course, for Internet use, this approach does not work, because different ISP using different domain address. But for internal use, like E-library in University, you must obtain a IP (via dialup) from the University, and only such IP prefix can access the data in the library system. You just try to block those people that are not the students in the university.
This mechanism can also be used for server-to-server authentication. For bank A's back office system wanna access the one in bank B's, since the domain address of B must be, say, (a.b), hackers cannot connect to bank A's system using domain (e,f) unless it hacks into bank B's system and use the networked computer to connect.


Also some companies have only one external IP address and you may want to block someone with that IP, but not the other with the same IP.


As said, it depends on the usage. In such issues, you must use PKI or Password-based authentication.
In fact, each measurement has its own strength or weakness in applications. In some cases, even PKI is not a good way. Consider when only 1 certificate is issued to 1 company, while, in fact, there are more than 1 staff that need to decrypt the confidential info for processing. If more than 1 staff knows the private key, this may also cause vulerabilities.
Nick
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic