October 30

Fallible IMSP

0  comments

Resolve Pain Point

Most instant messenger system providers (IMSPs) in the marketplace require prospective users to send in their personal information (e.g., email, username, and password) to register at the providers’ centralized servers. Only in doing so, the users can use the info to authenticate themselves to the centralized servers when they try to login to access the service in the future. Some prospective users may mistakenly believe that their personal information is unique and that their correspondence is secure because IMSP claims that personal information is checked against existing users for potential duplicates. But in fact, it is the IMSPs who create the account and they can always forge any user information for unethical ends. To tackle that, Citium uses a unique authentication mechanism for better checks and balances between users and IMSP: A user authentication info is entirely generated by the user but no one else. IMSPs still own the rights to grant authorized users access to their services.

Traditional Solution

Traditionally, instant messenger system providers (IMSPs) provide service to their users through the following authentication and authorization regime:

  1. A user submits his/her user info (e.g., account ID and password) to the IMSP.
  2. IMSP authenticates the user info.
  3. IMSP authorizes the user to use its service.

The traditional regime is not cryptanalytically secure, because IMSP holds all user info so that it is theoretically possible for the IMSP to falsify user behavior. Moreover, IMSP sometimes fails to secure against malicious attacks. Last but not least, social hacking preys on careless users who apply the same set of profiles (e.g., same username, gender, and age) at different IMSPs. Security breach at one of these IMSPs may cause Internet-wide privacy leak for the users.

Citium Solution

Citium is different from the traditional authentication and authorization regime. Instead of submitting user info, Citium works as follows:

  1. A user submits his/her user signature pertaining only to the applicable service session to the IMSP.
  2. IMSP authenticates the signature.
  3. IMSP authorizes the user to use its service.

The Citium regime is cryptanalytically secure because IMSPs are theoretically impossible to falsify user behavior. Even if the IMSP is hacked, the attacker is also theoretically unable to falsify the user’s signature or behavior. Most importantly, even the most careless users are unable to leak personal information because the Citium regime is designed like a black-box. Some call such an approach as zero-knowledge proof. IMSPs can authenticate users and authorize communication services without the need to obtain any user privacy information. Since any IMSP or unscrupulous hacker in the Citium regime can no longer be able to selectively delay or deny service, it is impossible to perform unauthorized analysis of user behavior.


Tags

infosec


You may also like

The Unsecure Email

Define: Message-oriented middleware (MOM)

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!

en_USEnglish