SiteKey
Encyclopedia
SiteKey is a web-based security system that provides one type of mutual authentication
Mutual authentication
Mutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the...

 between end-user
End-user
Economics and commerce define an end user as the person who uses a product. The end user or consumer may differ from the person who purchases the product...

s and websites. Its primary purpose is to deter phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...

.

SiteKey has been deployed by several large financial institutions since 2006, including Bank of America
Bank of America
Bank of America Corporation, an American multinational banking and financial services corporation, is the second largest bank holding company in the United States by assets, and the fourth largest bank in the U.S. by market capitalization. The bank is headquartered in Charlotte, North Carolina...

 and The Vanguard Group
The Vanguard Group
The Vanguard Group is an American investment management company based in Malvern, Pennsylvania, that manages approximately $1.6 trillion in assets. It offers mutual funds and other financial products and services to individual and institutional investors in the United States and abroad. Founder...

.

The product is owned by RSA Data Security which in 2006 acquired its original maker, Passmark Security.

How it works

SiteKey uses the following challenge-response technique:
  1. User identifies (not authenticates) himself to the site by entering his username (but not his password). If the username is a valid one the site proceeds.
  2. Site authenticates itself to the user by displaying an image and accompanying phrase that he has earlier configured. If the user does not recognize them as his own, he is to assume the site is a phishing site and immediately abandon it. If he does recognize them, he may consider the site authentic and proceed.
  3. User authenticates himself to the site by entering his password. If the password is not valid for that username, the whole process begins again. If it is valid, the user is considered authenticated and logged in.

Weaknesses

SiteKey is designed to prevent users from disclosing their login credentials to a phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...

 site. The rationale is that a phishing site wouldn't have the SiteKey info for a user. The obvious flaw in the design is that a phishing site can get the correct SiteKey info from the genuine site, then serve it to the user, "proving" its legitimacy. SiteKey is thus susceptible to a man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...

.

It also requires users to keep track of more authentication information. Someone associated with N different websites that use SiteKey must remember N different 4-tuple
Tuple
In mathematics and computer science, a tuple is an ordered list of elements. In set theory, an n-tuple is a sequence of n elements, where n is a positive integer. There is also one 0-tuple, an empty sequence. An n-tuple is defined inductively using the construction of an ordered pair...

s of information: (site, username, phrase, password).

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK