authentication protocols
DESCRIPTION
Authentication Protocols. Rocky K. C. Chang, 18 March 2011. Outline. Authentication problems Network-based authentication Password-based authentication Cryptographic authentication protocols (challenge and response) Secret key based Public key based - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/1.jpg)
1
Authentication Protocols
Rocky K. C. Chang, 18 March 2011
![Page 2: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/2.jpg)
2 Rocky, K. C. Chang
Secret keyfunctions
Hashfunctions
Secrecyservice
Authenticationservice
Messageintegrity service
Nonrepudiationservice
Public keyfunctions
![Page 3: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/3.jpg)
3
Outline
Rocky, K. C. Chang
Authentication problems Network-based authentication Password-based authentication Cryptographic authentication protocols
(challenge and response) Secret key based Public key based
Needham-Schroeder public-key authentication protocol
![Page 4: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/4.jpg)
4
The authentication problem
Rocky, K. C. Chang
Authentication: The process of determining whether someone or
something is, in fact, who or what it is declared to be.
Binding of an identity to a subject. Authentication protocols:
Key establishment protocols, e.g., authenticated Diffie-Hellman.
Entity authentication protocols, e.g., system login, which is the focus of this set of slides.
![Page 5: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/5.jpg)
5
Information for authentication
Rocky, K. C. Chang
What the entity knows (such as passwords or secret information)
What the entity has (such as a badge or card) What the entity is (such as fingerprints or
other biometrics) Where the entity is (such as in front of a
particular terminal)
![Page 6: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/6.jpg)
6
The authentication process
Rocky, K. C. Chang
The entire process consists of Obtaining the required authentication information
(e.g., a hashed password) Analyzing the data (e.g., compare the received
password with the stored password), and Determining if it is associated with the principal
(e.g., confirmed if they are the same).
![Page 7: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/7.jpg)
7
Classification of authentication problems
Rocky, K. C. Chang
Authenticated subjects: humans vs machines Authentication methods: address-based,
password, or cryptographic. Between two entities or with the help of at
least a trusted third party One-way vs mutual authentication
![Page 8: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/8.jpg)
8
Address-based authentication
Rocky, K. C. Chang
Assume that the identity of the source can be inferred from the (IP or MAC) address of the packet.
IP source address spoofing Receiving the response is generally tricky. Randomized source address selection
MAC source address spoofing Many people teach you how to do it. Detecting them in wireless networks
![Page 9: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/9.jpg)
9
Password-based authentications
![Page 10: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/10.jpg)
10
Basic password protocols
Rocky, K. C. Chang
Authentication based on what the entity knows.
U sends her password to S. Vulnerability to eavesdropping, stolen password
files, and easy-to-guess passwords Protection of password files:
In UNIX, one of 4,096 hash functions is used to hash a password into an 11-character string.
A 2-character string identifying the hash function is prepended to the 11-character string.
![Page 11: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/11.jpg)
11
Attacks on the basic protocol
Rocky, K. C. Chang
On-line attack When the hash values are not available to an attacker. Defense: maximize the time to guess the password,
exponential backoff, disconnection, disabling, and jailing. Off-line attack (dictionary attack)
Receive a copy of the hash value, and guess the password (at his leisure).
Run through a list of likely possibilities, often a list of words from a dictionary
Defense: append the password with a random string (salt) and hash the result.
E.g., User ID Salt value password hash Alice 13579 hash(13579,password-alice) Bob 24680 hash(24680,password-Bob)
![Page 12: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/12.jpg)
12
Problems with passwords
Rocky, K. C. Chang
One fundamental problem with passwords is that they are reusable. Attacker can reply a captured password. Force users to age their passwords?
An alternative is to authenticate in such a way that the transmitted password changes each time.
Let U and S agree on a secret function f. S sends a nonce N (the challenge) to U. U replies with f(N) (the response). S validates f(N) by computing it separately.
A nonce (timestamp, random number, etc) is a “number used once”---non-repeating string freshly chosen by S.
![Page 13: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/13.jpg)
13
One-time passwords
Rocky, K. C. Chang
A one-time password is a password that is invalidated as soon as it is used.
The challenge-response mechanism uses one-time passwords.
The response is essentially the “password.” Every time the password is different (one-time password).
For example, U chooses an initial seed k, and the key generator
computes h(k) = k1, h(k1) = k2, …, h(kn-1) = kn, where h() is a one-way hash function.
The passwords, in the order they are used, are p1 = kn, p2 = kn-1, …, pn = k1.
![Page 14: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/14.jpg)
14
Two-factor authentication
Rocky, K. C. Chang
Hardware support for challenge-response procedures: A token that responds to a challenge. A temporal based token: displays a different
number, e.g., every 60 seconds. Two-factor authentication
Authentication based on at least two authentication factors.
E.g., the token value (what the entity has) and a password (what the entity knows)
![Page 15: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/15.jpg)
15
Secret key based authentication
![Page 16: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/16.jpg)
16
A simple, one-way authentication
Rocky, K. C. Chang
N
S
EK(N,S)Verify
AliceI am Alice
EK(N,S)
Assume that S is authentic. The server and Alice share a secret key k, and N is
a nonce. The nonce is to deduce that Alice is live. The inclusion of S’s identity ensures that Alice has the
knowledge of S as her entity peer.
![Page 17: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/17.jpg)
17
A simple, mutual authentication protocol Mutual authentication 2 x one-way
authentication. Alice and Bob share a secret key k.
I am AliceAlice
(initiator)
EK(NB) Verify EK(NB)
Bob(responder)
NB
EK(NA)Verify EK(NA)
NA
Rocky, K. C. Chang
![Page 18: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/18.jpg)
18
Reduced to a 3-way protocol Besides the reduction in the number of
messages, what else is different?
I am Alice, NA
EK(NB) Verify EK(NB)
NB, EK(NA)Verify EK(NA)
Alice(initiator)
Bob(responder)
Rocky, K. C. Chang
![Page 19: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/19.jpg)
19
A reflection attack by Eve Assume that Eve can open multiple simultaneous
sessions with Bob.
I am Alice, NE
Verify EK(NB)
NB, EK(NE)
Eve(initiator)
Bob(responder)
I am Alice, NB
NBB, EK(NB)
EK(NB)
Starting another session
Going back to the first session
Rocky, K. C. Chang
![Page 20: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/20.jpg)
20
The key problems and solutions
Rocky, K. C. Chang
The same key is used by the initiator and responder. Have them use different keys (maintain a pair of secret
keys between two parties). Improve the protocol resistance to attacks
involving parallel sessions. Have the initiator and responder draw from
different sets of nonce. Have the initiator to prove who she is before the
responder’s.
![Page 21: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/21.jpg)
21
Will the original 5-way protocol be subject to the reflection attack?
Rocky, K. C. Chang
I am AliceAlice
(initiator)
EK(NB) Verify EK(NB)
Bob(responder)
NB
EK(NA)Verify EK(NA)
NA
![Page 22: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/22.jpg)
22
Will the original 5-way protocol be subject to the reflection attack?
Rocky, K. C. Chang
![Page 23: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/23.jpg)
23
Another solution The main problem is that the encrypted elements
in the second and three messages are the same. Have the responder influence on what she encrypts or
hashes. A possible solution:
I am Alice, NA
HMAC(K, NA, NB) Verify HMAC
NB, HMAC(K, NA, NB, “Alice”, “Bob”)Verify HMAC
Alice(initiator)
Bob(responder)
Rocky, K. C. Chang
![Page 24: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/24.jpg)
24
Public key based authentication
![Page 25: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/25.jpg)
25
Public-key authentication
Rocky, K. C. Chang
It is very difficult to build a provably secure authentication protocol based on symmetric cryptographic primitives.
It is not feasible to use secret-key authentication without a trusted third party.
The secret key has to be placed in both parties.
![Page 26: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/26.jpg)
26
A simple, one-way authentication Alice signs the challenge from S, and NS, NA are
nonces picked by S and Alice, respectively. It is important that Alice influences what she
signs.I am AliceS
NS
Alice
NS, NA, S, Alice, [NS, NA, S]AliceVerify [NS, NA, S]Alice
Rocky, K. C. Chang
![Page 27: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/27.jpg)
27
A simple, mutual authentication Each side authenticates the other side by
requesting for a correct digital signature. Another implementation can have the challenger
to encrypt a nonce.
I am Alice, NAAlice
NB, [NA]BobVerify [NA]Bob
Bob
[NB]Alice Verify [NB]Alice
Rocky, K. C. Chang
![Page 28: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/28.jpg)
28
A pitfall in this simple C-R protocol Eve can impersonate Alice by having Alice’s help
in signing Bob’s nonce.
I am Alice, NEAlice
NB, [NE]Bob
Bob
Verify [NB]Alice
I am Bob, NB
NA, [NB]Alice
[NB]Alice
Eve
Rocky, K. C. Chang
![Page 29: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/29.jpg)
29
The main problem is
Rocky, K. C. Chang
The challenged party (Alice) has no influence on what she will sign. As a general principle, it is better if both parties
have some influence over the quantity signed. Otherwise, the challenger can abuse this protocol
to get a signature on any quantity she chooses.
![Page 30: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/30.jpg)
30
An improved protocol The signer includes her nonce into the message
that she is going to sign.
I am Alice, NAAlice
NB, NA, Alice, [NB, NA, Alice]BobVerify
[NB, NA, Alice]Bob
Bob
NB, NA, Bob, [NB, NA, Bob]AliceVerify
[NB, NA, Bob]Alice
Rocky, K. C. Chang
![Page 31: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/31.jpg)
31
Needham-Schroeder public-key authentication protocol
Rocky, K. C. Chang
Kerberos is based on the improved Needham-Schroeder public-key authentication protocol.
The original protocol had security flaws. Assume that both A and B have a pair of public
and private keys. Denote A's public key by Ka and the private key by K-1
a, and similarly for B.
We also write {m}K for message m encrypted with key K. Moreover Na and Nb are nonces generated by A and B, respectively.
We have a trusted key server S.
![Page 32: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/32.jpg)
32
The original protocol was
Rocky, K. C. Chang
a. A S: A, Bb. S A: {Kb, B}K-1s
c. A B: {Na, A}Kb
d. B S: B, Ae. S B: {Ka, A}K-1s
f. B A: {Na, Nb}Ka
g. A B: {Nb}Kb
![Page 33: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/33.jpg)
33
Eve can impersonate Alice by
Rocky, K. C. Chang
i. (1) A E: {Na, A}Ke (A establishes a normal session with E.)
ii. (1’) E B: {Na, A}Kb (E attempts to impersonate A when establishing a session with B.)
iii. (2’) B E: {Na, Nb}Ka (B's response to A intercepted by E.)
iv. (2) E A: {Na, Nb}Ka (E forwards B's response to A.)
v. (3) A E: {Nb}Ke (A's response to E)vi. (3’) E B: {Nb}Kb (E's response to B, therefore
successfully impersonating A)
![Page 34: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/34.jpg)
34
A simple fix
Rocky, K. C. Chang
Include B's identity in the response message. That is, the message (f) becomes B A: {B, Na, Nb}Ka.
Therefore, the message (iii) in the attack becomes B E: {B, Na, Nb}Ka.
In this case E cannot replay the message and send it to A, because A expects B's identity in the message.
![Page 35: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/35.jpg)
35
Conclusions
Rocky, K. C. Chang
Designing a secure and efficient authentication protocol turned out to be more difficult than people thought.
We have discussed the basic protocols based on password, secret-key, and public-key. We have not addressed the system with a trusted third
party yet. The result of authentication may also include an
agreement of a secret key, i.e., authenticated key exchange (to be addressed later).
![Page 36: Authentication Protocols](https://reader035.vdocument.in/reader035/viewer/2022062813/56816668550346895dd9fe57/html5/thumbnails/36.jpg)
36
Acknowledgments
Rocky, K. C. Chang
The notes are prepared mostly based on C. Kaufman, R. Perlman and M. Speciner, Network
Security: Private Communication in a Public World, Second Edition, Prentice Hall PTR, 2002.
Various articles