In IEEE P1363.2, the term zero-knowledge password proof (ZKPP) is used to explain the concept wherein party-1 (the prover) proves to party-2 (the verifier) that it knows a value of a password, without revealing the password itself to the verifier. This scheme is mainly designed to protect against dictionary attacks. The concept of zero-knowledge keys is similar, but not limited to passwords only.
The concept of proving the knowledge of an assertion without revealing any information about the assertion itself offers benefits over existing options such as shared key and public key cryptography.
In shared key cryptography, two parties agree on a common secret before they begin any communication. As we discussed in the Password-based authentication section, this approach is vulnerable to eavesdropping, spoofing, and dictionary attacks. In public key cryptography, a key pair is used, one of which is published and the other is used by the receiver as a secret and used only for decryption. The robustness of the public key approach depends on the degree of computational difficulty of deriving the private key using the public key.
In zero-knowledge cryptography, the prover is able to prove its knowledge of the secret to the authenticator without having to reveal the secret itself at any time during the operations. The authenticator can ask questions to confirm the prover indeed knows the secret, but it is impossible for the authenticator or any third party to discover information about the secret. As long as the authentication messages are handled securely, an eavesdropper is not able to learn anything about the secret or convince any party that they know the secret. A good zero-knowledge-based protocol should also be resilient against a malicious man-in-the middle who might try send, modify, or destroy the message (SANS-1).
Scalability and cryptographic resilience of zero-knowledge keys make them relevant in IIoT IAM considerations. This approach is particularly attractive in proving mutual identity, or during the key-exchange step of a cryptographic application.
Some IIoT identity vendors are already using zero-knowledge key-based authentication services, wherein an IoT device uses the zero-knowledge key as proof of identity, without knowing the actual value of the key.
While using zero-knowledge key-based authentication, it is recommended to evaluate the complexity of the infrastructure matrix providing the service, resource requirements, ease of maintenance, and cost-effectiveness.