Advertisment

Building a Trustworthy Digital Future: How Digital Credentials Enhance World-Wide-Web Security

author-image
DQINDIA Online
Updated On
New Update
digital credentials

As our digital and real-world lives increasingly merge, safeguarding data in our numerous online transactions becomes critical. Translating trust from real-world to digital exchanges is vital for securing our online presence. Digital credentials are making this possible, offering insights into the evolution of the digital trust paradigm, as discussed in our previous article The evolution of digital trust paradigm.

Advertisment

Exploring the pivotal role of digital credentials within Transport Layer Security (TLS) reveals their critical function in enabling Public Key Infrastructure (PKI). From the internet's very inception, TLS has been instrumental in ensuring the security of online communications, serving as the backbone for safe data exchange. It is the mechanism that underpins secure connections across the web, encrypting data in transit to prevent unauthorised access and ensuring the integrity of information exchanged between parties.

In today's landscape, marked by the proliferation of AI and cyber threats alike, reassessing our methods to fortify the privacy and security of our data is imperative. The current digital age demands we embrace more advanced security frameworks to effectively address these challenges. By understanding and leveraging advanced tools like TLS and PKI, we can better safeguard our digital interactions against the ever-evolving threats of the cyber world.

Client-Server and The Man-in-the-Middle

Advertisment

Long before the evolution of the modern internet as we know it today, security and privacy in digital transactions were of paramount concern. This was the era of Web 1.0, the first version of the internet, where digital users were merely consumers of information; web developers were the only content creators, and ubiquitous 'http' protocol governed browser addresses.

Affinidi

In the traditional client-server communication model, powered by http, anyone with basic networking tools can decipher every bit of the un-encrypted interaction between a browser (i.e. client) and the website (i.e. server). Fortunately, browsers ensure that users are cautioned that such interactions are not innately secure.

Advertisment

Affinidi

Client-Server and HTTPS

It did not take long before Netscape, in 1995, introduced Hyper Text Transfer Protocol Secure (HTTPS), which was HTTP secured by SSL 2.0 - a cryptographic protocol that provided end-to-end communication security over networks. This protocol has evolved significantly since then and is now known as TLS (Transport Layer Security), with the most recent version being TLS 1.3.

Advertisment

When you visit a website, the presence of a padlock icon next to the website address signifies a secure connection, instilling trust in users to proceed with sensitive actions such as entering personal or financial information. 

Affinidi

We explore in depth the intricate workings behind this assurance.

Advertisment

Part 1: Client Authenticates Server – TLS Handshake and Public Key Cryptography

After the initial DNS resolution and TCP 3-way handshake, a TCP connection is established between your browser and the server. Since your connection is HTTPS (not HTTP), a TLS handshake is initiated by the browser. This stage involves negotiating secure communication between the browser and the server.

Affinidi

Advertisment

Step 1: Client says Hello - The browser sends a “hello” to the server. At this point, the server is expected to “identify” itself to get authenticated.  

In the context of authentication, “passwords” are an unfortunate assumption in today’s world. The founders of internet security wisely avoided this route, opting for TLS protocol where server’s authentication happens through digital certificates powered by public key cryptography.

  1. Every HTTPS-enabled server generates a mathematically related public-private key pair: a private key, kept secret for signing and decrypting data, and a public key, shared for verification and encryption.  
  2. The server then sends a Certificate-Signing-Request to a CA (Certificate Authority), which issues a digitally signed credential to the server, known as a certificate. This certificate contains: 
Advertisment
    • Certificate Metadata (Issuance and Expiration information)
    • Certificate Owner Information (Domain name and/or Subdomains etc)
    • Server’s Public key 
    • Digital Signature of the Certificate Authority (using CA’s private key)

           The most known format of these certificates is X.509

  1. These TLS certificates are then installed on the server to be delivered as a response to the 'hello' sent by the browser above.

Step 2: Server RespondsEquipped with digital credentials, the server responds by sending the certificate back to the client.

Step 3: Identity Verification The browser verifies the certificate using the relevant cryptographic suites, extracting the server's public key in the process. Since the browser trusts the CA that issued the certificate, it transitively trusts the server's identity extracted from the certificate.

Step 4: Establish Session With the successful verification of the server’s identity, the browser establishes trust in the server and generates a session key, which is encrypted with the server’s public key (from the certificate) and sends it back. The server, using its private key, decrypts the session key. Now both client and server have a shared key for Symmetric Encryption.

Step 5: Padlock of Security Both parties confirm the handshake's completion, and the browser displays the padlock of security to the user. The browser has now successfully authenticated the server on the user's behalf, establishing trust with the website without relying on passwords. The user sees 'Connection is secure' and 'Certificate is valid', ensuring secure digital interaction.

Part 2: Server Authenticates Client – Passwords and OTPs & Push Notifications

Shifting focus to the server in the client-server model, it is time to discuss reverse authentication, where the server needs to identify the users interacting with its platform. There are several reasons why a website would want to authenticate its clients (users).

First and foremost, they need to figure out the level of trust in your transaction. For instance, on a subscription-based blogging platform, authenticating the user determines content accessibility. Guest users may access basic content, while exclusive content behind a paywall requires valid membership.

Moreover, before transacting with a user, knowing certain details such as geography or age becomes crucial. Picture a scenario in e-commerce where a user browses your website for hours to assemble a cart to order, giving you the business you are looking for. Only to find out during checkout that their country is not a shippable zone for those products.

Now that we have established its need, let's understand what reverse authentication entails.

Step 1: Server says Sign-In Drawing reference from what we saw earlier; the server at this step expects the client to identify itself.

Before seeking parity here, we should dispel the myth that the server's way of authenticating its users is not at all similar to what we saw earlier. The unfortunate reliance on passwords is a reality in the context of authentication. To be precise, as a platform owner, there is a range of authentication protocols available for you to choose from to authenticate your users.

Affinidi

The most extensively selected protocol to date is Passwords, even though 80% of data breaches are associated with passwords, and in the last five years alone, 39% of digital users have had their passwords compromised (Forbes).

Platforms offer login accounts to the digital user (client), which are then 'secured' using a password. This random string of characters must be managed and secured by the average digital user, who then presents the password to the server to be identified and authenticated.

Apart from this evident vulnerability, another major drawback of this approach is the server platform's obligation to safeguard user data, due to data regulation and compliance laws. A data breach, in its simplest form, is the platform’s inability to keep user records safe, representing both a legal nightmare and a business catastrophe.

Multi-Factor Authentication to The Rescue: Password ++  

To bolster security, additional factors of authentication such as OTPs, magic links, authenticator apps, or push notifications can be incorporated. However, the effectiveness of these measures depends on the phishing resistance of these factors. For instance, users can be misled into providing a one-time code through dynamic interactions in phishing attacks.

Fortunately, there are phishing-resistant approaches to MFA that can defend against some common attacks. For instance, WebAuthn was developed as part of the FIDO Alliance’s FIDO2 standard, which is an open standard based on public key cryptography. Such standards are gaining momentum due to their underlying cryptographic foundations. However, reliance on platform authenticators such as MacOS Touch ID or Windows Hello can be a source of friction. The lack of verifiable attestation also limits server-side verification during the authentication process. 

Learnings so Far

We explored how the authentication of a server by the browser contrasts with the reverse process. Cryptography, along with machine-readable and identity-attesting verifiable digital credentials that enable server authentication during the TLS handshake, are absent from end-user authentication, which extensively relies on weaker and more vulnerable mechanisms like passwords.

Working Backwards from The Solution

Consider a scenario where users are empowered with the missing piece that created the contrast. That is, users can own, manage, and present digital credentials that are identity-attesting and cryptographically verifiable.

To be authenticated and establish trust in a digital transaction, the user would act as their own identity provider, and authentication in this decentralised identity model would involve cryptographic verification of these digital identity credentials.

Affinidi

Step 1: Server says Sign-In: The server shares the authentication requirements with the user based on the context. For instance, would verifying the user's email be sufficient, or is proof of humanity also required to authenticate the user?

Step 2: Client Responds: The client, that is, the user now operating within the paradigm of a decentralised identity model, presents cryptographic credentials to the server, digitally signed by the user (through the user’s private key).

Step 3: Identity Verification: The server verifies the client's identity as attested in these digital credentials to authenticate and onboard the user to its platform.

In Conclusion

The simple assumption that a digital user can hold, share, and manage their identity credentials is represented by the Decentralised Identity Model. Authentication based on this identity paradigm reflects similarities to the gold standard of authentication, i.e. Public Key Infrastructure.

Affinidi believes that when data ownership is fundamentally changed by empowering end-users with Holistic Identity Management of their data, and when platforms and developers are enabled to harness the power of decentralised identity, then trust, security, and transparency in digital transactions are no longer mere assumptions.

This is made possible with open-source advancements that enable users to manage their digital credentials effectively. The Affinidi Trust Network, a suite of developer products to build privacy-first applications is bringing a paradigm shift in digital identity ownership and data security.

Advertisment