[Owasp-ireland] Question about identity over two systems

Peter McEvoy peter.m.mcevoy at gmail.com
Tue May 12 12:31:16 EDT 2009

Hi guys,
I'm really not sure if this is an approriate list to ask implmentation
questions on, but trawling the archives the traffic has been varied, so I'll
chance my arm and if anyone can point me to a more appropriate list...

I'm looking for a technique that will allow an application A1 to create user
transactions in another application A2, _without sharing any identifying


1) Application A1 stores information for a set of user entities.  User u1 is
identitifed by i1

2) A1 wants to create a transaction in application A2 for application user
u1, but MUST NOT share any identifying information with A2 (due to data
protection act).  A2 cannot store any identifying information, likewise due
to DPA.

3) Application User u1 needs to identify and authenticate herself to A2 so
that she can query transactions that are hers

4) Support user u2 wants to query A2 and list transactions of u1.  The
support user will know i1 (or be able to request it from the user - but not
any secret information).

I have identified one solution using hashes:
- Calculate hash i1, and use that as an identifier in all transactions.
Call this H(i1).
- u1 can submit (i1, password) to the application A2. A2 calculates H(i1)
(but does not store i1) and that is used to query transactions. Password is
used to authenticate
- After having authenticated to A2 using (i2, supportPassword), u2 can
submit i1 to A2, H(i1) is calculated and used in query.

I _think_ this approach is sound, but would like confirmation from you guys!

One identified issue, is that the space of identifiers i1 is well known and
finite (10^7 combinations).  It could be possible to generate a lookup table
of all identifiers, and their corresponding hashes.  The only way I can see
a way around this, is by salting the hash with a PIN that is stored in A1,
communicated to the user via A1 and is part of the identifying information
used to calculate the hash.  But then, how do I provide support user access
to the records in A2  (as the support user cannot know the PIN)?

Here's hoping someone can point me in the right direction!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20090512/c83d2c0f/attachment.html 

More information about the Owasp-ireland mailing list