overview of authentication systems · 1. user’s authentication information is individually...

Authentication

Overview of Authentication systems

1 IT352 | Network Security

|Najwa AlGhamdi

Approaches for Message Authentication

• Authentication is process of reliably verifying the identity of someone.

• Authentication Schemes

1. Password-based authentication.

2. Address-based authentication .

3. Cryptographic authentication.

IT352 | Network Security |Najwa AlGhamdi

2

Password-Based Authentication

• It’s a secret quantity (password) that you state to prove you know it .

• The big problem with this authentication scheme is Eavesdropping .

– An example • Some older cell phones transmit the

(telephone number +password ) when making a call.

• If the password corresponds to the telephone number, the phone company lets the call go and bills the caller.

• The problem anyone can eavesdrop on cell phone and clone such a phone.


3

Bob Alice

I’m Alice , the password is “abc”

Password-Based Authentication | Off-

vs. On-line password guessing

1. On-Line attack – One way of guessing the passwords is

simply to type passwords at the system that is going to verify the password.

– To prevent : system can make it impossible to guess too many pwd.

– Example : the ATM eat your card after 3 incorrect pwd.

2. Off-line attack (Dictionary Attack) – An intruder can capture a quantity X

that is derived from a pwd in a known way, then a brute force is applied to guess the pwd.


4

Password-Based Authentication |

Storing user pwd.

• Pwd is stored in one of the following forms

1. User’s authentication information is individually configured into every server that user will use.

2. in authentication storage node: which will store user information and servers retrieve tat information when they want to authenticate that user.

3. Authentication facilitator node : store user’s information.

• a server that wants to authenticate that user sends information received from that user to the Authentication facilitator node.

• this node does the authentication and tell the server yes or no.


5

Password-Based Authentication |

Storing user pwd.

• In (2) and (3) its important that the server to authenticate storage and facilitator .

• Its undesirable to have database of unencrypted passwords.

– Someone could capture the database by breaking into the database node.

• Alternatives : 1. To store hashes of passwords.

– UNIX & VMS do that.

2. To encrypt stored password so that the server decrypt a given password when needed) .

– Encryption done with node’s key.

3. Hybrid : its possible to combine both techniques by encrypting a database of hashed passwords.


6

Address-Based Authentication

• The identity of the source can be inferred based on the network address from which the packet arrive.

• Each computer will store the information which specifies accounts on other computers that should have access to its resources.

• Example : Account name : Smith , in machine that has network address N is allowed to access computer C.

• If request arrive from address N on behalf of Smith , then C will honor the request.


7


|Account mapping scheme

1. Machine B might have a list of network address of equivalent machines.

• If machine A is listed , then any account name on A is equivalent to same account name on B.

• Problem is that users has to have identical account name in all systems.


8

B A

Equivalent John_ Smith John_ Smith

Machines

Accounts


|Account mapping scheme

• Unix implements two account mapping scheme

• hosts.equiv and .rhosts files list hosts and users that are trusted by the local host when a connection is made

1. First Scheme: A global file /etc/hosts.equiv contains trusted remote hosts.

2. 2nd Scheme: In each user’s home directory, a per-user .rhosts file contains host-user <computer ,account>pairs.


9

3.Cryptogrpahic -Based Authentication

• Much more secure than previous methods.

• Authentication done using

1. Secret key encryption

– Alice and Bob both know secret key KAB.

– Alice picks a random number (challenge) rA .

– Bob picks a random number (challenge) rB.


10

Bob Alice

rA

E( rA , KAB)

rB

E(rB, KAB)


2. Public key encryption

– Alice will pick r

– Alice encrypt r using Bob’s public key.

– Bob ) decrypt it using his private key and sends r back to alice.


11

Bob Alice

E( r, eB )

r=D(E( r, eB ) dB )


3. Hash

– Alice and Bob both know secret key KAB.

– Alice picks a random number (challenge) rA

– Bob picks a random number |(challenge) rB.


12

12

Bob Alice

rA

H( rA |KAB)

rB

H(rB, | KAB)

Trusted Intermediaries

• If network is fairly large (n nodes) then each computer needs to know (n-1) keys.

• Help is needed

1. Key Distribution Center (KDC)

• A trusted node that knows keys of all nodes.

• If a new node is added , then KDC need to be configured with a key for that node.

2. Certification Authorities (CAs).

• Trusted node that generate certificates which signed a message specifying a sender and their public key .


|Najwa AlGhamdi


• If network is fairly large (n nodes) then each computer needs to know (n-1) keys.

• Help is needed

1. Key Distribution Center (KDC)

• A trusted node that knows keys of all nodes.

• If a new node is added , then KDC need to be configured with a key for that node.

2. Certification Authorities (CAs).

• Trusted node that generate certificates which signed a message specifying a sender and their public key .


|Najwa AlGhamdi


• Certification Authorities (CAs).

• Create token (message) containing

– Identity of principal (here, Alice)

– Corresponding public key

– Timestamp (when issued)

– Other information (perhaps identity of signer)

signed by trusted authority (here, Cathy)

CA = { eA || Alice || T } dC

IT352 | Network Security

|Najwa AlGhamdi 15

X.509 Certificates


16

Version

Serial number

Signature algorithm ID

Issuer

Validity period

Subject

Subject public key

Issuer unique ID (op)

Subject unique ID (op)

Extensions (optional)

CA digital signature

digitally singed

overview of authentication systems · 1. user’s authentication information is individually...

Documents