Information and network security 47 authentication applications
- 1. Information and Network Security:47 Authentication Applications Prof Neeraj Bhargava Vaibhav Khanna Department of Computer Science School of Engineering and Systems Sciences Maharshi Dayanand Saraswati University Ajmer
- 2. User Authentication fundamental security building block basis of access control & user accountability is the process of verifying an identity claimed by or for a system entity has two steps: identification - specify identifier verification - bind entity (person) and identifier distinct from message authentication
- 3. User Authentication • User authentication is the basis for most types of access control and for user accountability. • RFC 2828 defines user authentication as the process of verifying an identity claimed by or for a system entity. • An authentication process consists of two steps: • Identification step: Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service.) • Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier.” • In essence, identification is the means by which a user provides a claimed identity to the system; user authentication is the means of establishing the validity of the claim.
- 4. Means of User Authentication four means of authenticating user's identity based one something the individual knows - e.g. password, PIN possesses - e.g. key, token, smartcard is (static biometrics) - e.g. fingerprint, retina does (dynamic biometrics) - e.g. voice, sign can use alone or combined all can provide user authentication all have issues
- 5. Means of User Authentication • There are four general means of authenticating a user's identity, which can be used alone or in combination: • • Something the individual knows: Examples includes a password, a personal identification number (PIN), or answers to a prearranged set of questions. • • Something the individual possesses: Examples include electronic keycards, smart cards, and physical keys. This type of authenticator is referred to as a token. • • Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and face. • • Something the individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm.
- 6. Means of User Authentication • All of these methods, properly implemented and used, can provide secure user authentication. • However, each method has problems. • An adversary may be able to guess or steal a password. Similarly, an adversary may be able to forge or steal a token. • A user may forget a password or lose a token. • Further, there is a significant administrative overhead for managing password and token information on systems and securing such information on systems. • With respect to biometric authenticators, there are a variety of problems, including dealing with false positives and false negatives, user acceptance, cost, and convenience.
- 7. Authentication Protocols • used to convince parties of each others identity and to exchange session keys • may be one-way or mutual • key issues are • confidentiality – to protect session keys • timeliness – to prevent replay attacks
- 8. Replay Attacks • where a valid signed message is copied and later resent • simple replay • repetition that can be logged • repetition that cannot be detected • backward replay without modification • countermeasures include • use of sequence numbers (generally impractical) • timestamps (needs synchronized clocks) • challenge/response (using unique nonce)
- 9. Replay Attacks • Replay Attacks are where a valid signed message is copied and later resent. Such replays, at worst, could allow an opponent to compromise a session key or successfully impersonate another party. • At minimum, a successful replay can disrupt operations by presenting parties with messages that appear genuine but are not • Possible countermeasures include the use of: • • sequence numbers (generally impractical since must remember last number used with every communicating party) • • timestamps (needs synchronized clocks amongst all parties involved, which can be problematic) • • challenge/response (using unique, random, unpredictable nonce, but not suitable for connectionless applications because of handshake overhead)
- 10. One-Way Authentication • required when sender & receiver are not in communications at same time (eg. email) • have header in clear so can be delivered by email system • may want contents of body protected & sender authenticated
- 11. One-Way Authentication • One application for which encryption is growing in popularity is electronic mail (e-mail). • The very nature of electronic mail, and its chief benefit, is that it is not necessary for the sender and receiver to be online at the same time. • Instead, the e-mail message is forwarded to the receiver’s electronic mailbox, where it is buffered until the receiver is available to read it. • The "envelope" or header of the e-mail message must be in the clear, so that the message can be handled by the store-and-forward e-mail protocol, such as the Simple Mail Transfer Protocol (SMTP) or X.400.
- 12. One-Way Authentication • However, it is often desirable that the mail-handling protocol not require access to the plaintext form of the message, because that would require trusting the mail- handling mechanism. • Accordingly, the e-mail message should be encrypted such that the mail- handling system is not in possession of the decryption key. • A second requirement is that of authentication. • Typically, the recipient wants some assurance that the message is from the alleged sender.
- 13. Using Symmetric Encryption • as discussed previously can use a two-level hierarchy of keys • usually with a trusted Key Distribution Center (KDC) • each party shares own master key with KDC • KDC generates session keys used for connections between parties • master keys used to distribute these to them
- 14. Using Symmetric Encryption • A two-level hierarchy of symmetric encryption keys can be used to provide confidentiality for communication in a distributed environment. • Usually involves the use of a trusted key distribution center (KDC). Each party in the network shares a secret master key with the KDC. • The KDC is responsible for generating session keys, and for distributing those keys to the parties involved, using the master keys to protect these session keys.
- 15. Assignment • What is user authentication? What are the means of user authentication • Explain Replay Attacks and One-Way Authentication.