Yukio Tsuruoka

Certificate-less user authentication with consent

We introduce a new authentication scheme that is intended to be used on electronic commerce (EC) sites, which do not require strict user authentication but need user identification. That is, the EC sites judge whether a user is the same person who visited the site before. We designed our scheme to be as simple and lightweight as possible, for example, we do not assume the existence of trusted third parties (TTPs), e.g. CAs, which are not necessarily needed to identify users. We noticed that password-based authentication has a property that enables EC sites to confirm that there was an interaction with the user. This can be used to show that the user confirmed some agreement. This confirmation of agreement is sometimes important for EC sites. Our scheme can change how to combine password-based authentication and public-key-based authentication by its authentication policy, such as required security level and necessity of confirmation of agreement.

Trusted-link: web-link enhancement for integrity and trustworthiness

We introduce Trusted-Link, a new framework that assures trust relationships between Web pages. With this framework, users can distinguish trustworthy pages from untrustworthy pages easily. This helps users avoid online fraud such as phishing. The ideas of Trusted-Link are as follows. (1) Add some attributes to a link (e.g. HTML anchor element), such as maximum number of traversable links or set of trusted domains. (2) Determine trust level of linked page based on trust level of current page and attributes of link. (3) Attach digital signature to the link to maintain its integrity. (4) A link has a signature verification key as its attribute to verify a signature in a linked page.In this paper, we explain the trust model of Trusted-Link compared to TLS server authentication using a PKI, and algorithms of Trusted-Link, and then, we give some consideration about its effectiveness.