Who goes there? Verifying identity online
We are all used to logging into networks where we have a unique identity, verified by the network server and associated with our account for other members of the network to see. Such an identity-based network system is useful because it is relatively simple. However, there are three major drawbacks including loss of anonymity of communicating users, misplaced trust and identity theft.
Researchers at the University of Texas at Austin have devised a new type of network that allows users to be authenticated without relying on unique identities.
Writing in the International Journal of Security and Networks, Mohamed Gouda and colleagues asked themselves how they might get around these three problem areas of conventional networks. How can one design a network without user identities and what does it mean for a user to authenticate another in such a network? They suggest that rather than each user having an identity, a network based on an addressing system associated with an unlimited, user-selected list of pseudonyms can circumvent all the problems of loss of anonymity, identity theft and misplaced trust. The network authority server is then the only party, other than each user that knows their address and which of their pool of pseudonyms is associated with the address at any given time.
"The problem of anonymous communication over a network is an old and respected problem, and has inspired a considerable amount of research," the researchers explain. Papers dating back to at least 1981 have attempted to address this issue. Anonymized email based on encryption and the layered connection approach of the Tor protocol, and Onion routing, have been used successfully over the last couple of decades. However, all of these approaches have scaling problems that limit the number of concurrent users without huge investment in network servers to carry the requisite data traffic.
The researchers explain that in their novel network structure users do not have identities. Users are contacted by searching for their pseudonyms, which they change frequently. Authentication is done by the users themselves, not by the certification of a central authority. In this network, as there is no identity, there is no identity theft. "We suggest that this may be a whole new kind of network, distinct from both traditional client-server and reputation-based peer-to-peer networks," the team says.