Authentication: Is he who he says he is?

From YWAMKnowledgeBase

Authentication originally is an Computer Science term for the login process. However, we will transfer this principle to writing / receiving Emails. Then you will be ready to make up your own real-world examples.

The Problem

A Internet Connection always is a Distant Connection. Who can tell that the person at the other end of the line actually is? We can ask him, but how can he prove that he's not lying? We can't check his handwriting, neither can we hear his voice. (Read this Real-World Example.)

Possible Solutions

Normally, this problem is solved by checking a shared secret, e.g. a password. Disadvantage of this easy solution is: once this secret is heard by a third person, it isn't secret (i.e. reliable) anymore.

Second try would be a private/public key pair, so you can prove you have a secret private key without showing it to the public. This, however, is technically difficult to implement/install.

Another possibility is a Challenge-Response protocol: The Questioner (the one who want to make sure it is the right partner) asks a different question at every connection, the Client (the one that has a request for the Questioner) responds in a way that the Questioner can check its truthfulness.

The Problem: Email Example

Let's say, you get the following email:

From: Kevin Lacoste <kevinlacoste@gooogle.com>
Subject: my secret casino strategy

Hey, I will tell you a secret tip. This way, you can always win. 
[...]
The big casinos already know this tip, so you will need a little one, like this one. 

It is rather obvious that this is a fake. First, you don't know a Kevin Lacoste; second, if there was a you-always-win strategy in casinos, they would forbid it. Third, gooogle.com is not google.com. It is rather publicity for this particular casino program.

However, what if you get this mail:

From: Loren Cunningham <loren.cunningham@ywam.org>
Subject: hey

Hi [Your Name],

I have a strong sense that you should leave YWAM soon. Please pray about it.

Yours,
Loren

This email it is much more likely to be taken serious. You may be suspicious, but hey, it was sent by Loren Cunningham! Well, not necessarily.

It is not difficult to send an email with a different From-Attribute. After all, this From is filled in by the sender, not even the server that is delivering it. An Email is like a post card, but you can't even check the handwriting or stamp or postmark.

Possible Solutions: Email Example

How can you make sure it was really from him? Some ideas:

  • You could give him a call ...
  • Ask for confirmation ("Is That Really You, Loren?"). It is more difficult to receive emails for another adress than sending them under another name.
  • Ask for insider knowledge. E.g., where did you meet the last time?
  • The best solution would be to write only encrypted Emails. That takes some time to set up, but if you have to communicate important (and maybe confidential) informations over and over again, it should be worth it.

Conclusion

The Loren-example shows: the most important thing is to keep calm ("Don't Panic!"). You don't have to decide within a second if it is fake or not.

And then, consider: even if it was Loren Cunningham, would he have the authority to make you leave? Without giving an answer to this question, I just want to make clear that it is a totally different question: It's not, "Is he who he says he is?" (Authentication), but, "Now that I know who he is, what rights does he have?" (Authorization).