Advanced Search
CS Search Google Search
Subscribers, please login

Published Articles >> Table of Contents >> Abstract

Publication Home Page
November-December 2003 (Vol. 1, No. 6)   pp. 20-26
Email-Based Identification and Authentication: An Alternative to PKI?
Simson L. Garfinkel, Massachusetts Institute of Technology
Full Article Text: View linked HTML of full textDownload PDF of full textBuy this articleGet full text from IEEE Xplore

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1253564
Send link to a friend

Abstract
Email-Based Identification and Authentication (EBIA) is an emerging alternative to Public Key Infrastructure (PKI). Although EBIA has obvious weaknesses, it can still provide functional security when used within a limited context. This article presents background on personal identifiers and authentication techniques, shows why the misuse of the Social Security Number (SSN) as an authenticator has led in part to the emergence of identity theft, argues why EBIA overcomes many of the problems inherent in the use of SSNs without imposing the cost or usability burden associated with PKI, and presents best practices for using EBIA in a business or government context.
References
[1] R.E. Smith, Social Security Numbers: Uses and Abuses,Privacy J., 2002; www.privacyjournal.net.
[2] Synovate, Federal Trade Commission—Identity Theft Survey Report, Sept. 2003; www.ftc.gov/os/2003/09synovatereport.pdf .
[3] S. Garfinkel, "Risks of Social Security Numbers," Comm. ACM, vol. 38, no. 10, 1995, p. 146.
[4] T. Dierks, "The TLS Protocol, Version 1.0," RFC 2246, Network Working Group, Jan. 1999.
[5] "Digital IDs: The New Advantage," VeriSign, 1999; www.verisign.com/repository/clientauthclientauth.html .
[6] Utah Digital Signature Act, Utah Code$ {\S} {\S} $46-3-101 to 46-3-104, 1996; http://cio.utah.gov/initiativesdigitalsignatures.htm .
[7] Electronic Signatures in Global and National Commerce Act (ESIGN), 101(c)(1)(C)(ii), US Congress, 2000.
[8] "Security Issue in Microsoft .NET Passport Is Resolved," Microsoft, May 2003; www.microsoft.com/securitypassport_issue.asp .
[9] S.A. Brands, Rethinking Public Key Infrastructure and Digital Certificates: Building in Privacy, MIT Press, 2000.
[10] A. Gilbert, "Email Scam Tries to Fool PayPal Users," CNet News.com, 7 Mar. 2003; http://news.com.com2100-1018-991639.html .
[11] M. Elkins et al., "MIME Security with OpenPGP," RFC 3156, Network Working Group, Aug. 2001.
[12] S. Dusse et al., "S/MIME Version 2 Message Specification," RFC 2311, Network Working Group, Mar. 1998.
Additional References
[1] D. Boneh and M. Franklin, "Identity-Based Encryption from the Weil Pairing," Lecture Notes in Computer Science, vol. 2139, 2001, Springer-Verlag, pp. 213-229.
[2] M. Wu, S. Garfinkel, and R. Miller, "Secure Web Authentication with Mobile Phones," Student Oxygen Workshop, MIT Computer Science and Artificial Intelligence Laboratory, 2003; www.simson.net/ref2003_wu_sow.pdf.
Additional Information
Index Terms- EBIA, PKI, Email Security, Identity Theft, Social Security Numbers (SSNs)

Citation:  Simson L. Garfinkel, "Email-Based Identification and Authentication: An Alternative to PKI?," IEEE Security and Privacy, vol. 01,  no. 6,  pp. 20-26,  November-December,  2003

RSS Feed

Similar Articles

Abstract Contents
Abstract
References
Index Terms
Citation

Download Citation
Ascii Text
BibTex
RefWorks
Procite/RefMan/Endnote




Free access to

  • Abstracts
  • Selected PDFs

Electronic subscribers login to:

  • Access HTML/PDFs of full text articles

Subscription information

Get a Web account

Peer Review Notice

Give us Feedback