ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Transcription

1 ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa

2 Introduction Entity Authentication is a technique designed to let one party prove the identity of another party. An entity can be a person, a process, a client, or a server. The entity whose identity needs to be proved is called the claimant The party that tries to prove the identity of the claimant is called the verifier.

3 Message Authentication vs. Entity Authentication There are two differences between message authentication (data-origin authentication), and entity authentication Message authentication might not happen in real time; entity authentication does. Message authentication simply authenticates one message; the process needs to be repeated for each new message. Entity authentication authenticates the claimant for the entire duration of a session.

4 Verification Factor Something you know Password, PIN, etc. Something you have Smart card, mobile phone, etc. Something you are Fingerprint, Iris, etc.

5 Passwords The simplest and oldest method of entity authentication is the password-based authentication, where the password is something that the claimant knows. Two types: Fixed password One-time password

6 Fixed Password Possible Attacks Eavesdropping Stealing a password Accessing a password file guessing

7 Fixed Password Dictionary attack Create a list of password, calculate the hash value, and search the second-column entries to find a match.

8 Fixed Password When the password is created, a random string, called the salt, is concatenated to the password. The salted password is then hashed. The Unix OS uses a variation of this method.

9 Fixed Password Two-factor authentication: Use of an ATM card (something you have) with a PIN (something you know). Use of an fingerprint (something you are) with a PIN (something you know). Use of an smartphone (something you have) with a fingerprint (something you are).

10 One-Time Password A one-time password is a password that is used only once. There are several approaches: The user and the system agree upon a list of passwords and use each password once The user and the system agree to sequentially update the password. The user and the system create a sequentially updated password using a hash function.

11 One-Time Password Alice and Bob agree upon an original password P0 and a counter n. The system stores the identity of Alice, the value of n and the hash.

12 Challenge-Response In password authentication, the claimant proves her identity by demonstrating that she knows a secret, the password. In challenge-response authentication, the claimant proves that she knows a secret without sending it. Several mechanisms: Using a Symmetric-Key Cipher Using Keyed-Hash Functions Using an Asymmetric-Key Cipher Using Digital Signature

13 Challenge-Response In challenge-response authentication, the claimant proves that she knows a secret without sending it to the verifier. The challenge is a time-varying value sent by the verifier; the response is the result of a function applied on the challenge.

14 Using a Symmetric-Key Cipher Nonce Challenge 1. ID of claimant 2. The challenge: RB is the nonce randomly chosen by the Bob to challenge Alice 3. Alice encrypts the nonce using the shared secret key known only to Alice and Bob. Bob decrypts the message. If the nonce obtained from decryption is the same as the one sent by Bob.

15 Using a Symmetric-Key Cipher Timestamp Challenge The challenge message is the current time sent from the verifier to the claimant. The claimant encrypt Alice ID and time with Alice-Bob secret key.

16 Using a Symmetric-Key Cipher Bi-directional 1. Alice ID 2. The challenge from Bob to Alice RB 3. Alice respond and send her challenge RA 4. Bob s response. RA and RB are switched to prevent a replay attack.

17 Using Keyed Hash Functions 1. The challenge message is the current time sent from the verifier to the claimant. 2. The timestamp is sent both as plaintext and as text scrambled by the keyed-hash function. 3. Bob compares his calculation with what he received.

18 Using an Asymmetric-Key Cipher Unidirectional, asymmetric-key 1. Challenge is encrypted with Alice s public key 2. Alice decrypts with her private key and responds

19 Using an Asymmetric-Key Cipher Bidirectional, asymmetric-key

20 Using Digital Signature Unidirectional

21 Using Digital Signature Bidirectional

22 Zero Knowledge Protocol (ZKP) In zero-knowledge authentication, the claimant does not reveal anything that might endanger the confidentiality of the secret. The claimant proves to the verifier that she knows a secret, without revealing it. The interactions are so designed that they cannot lead to revealing or guessing the secret. The verifier accepts or rejects the proof after multiple challenges and responses Probabilistic Proof Protocol Overcomes Problems with Password Based Authentication

23 Properties of ZKP Completeness Succeeds with high probability for a true assertion given an honest verifier and an honest prover. Soundness Fails for any other false assertion, given a dishonest prover and an honest verifier

24 Advantages of ZKP As name Suggests Zero Knowledge Transfer Computational Efficiency No Encryption No Degradation of the protocol Based on problems like discrete logarithms and integer factorization

25 Fiat-Shamir Identification Protocol 3 Message Protocol Alice A, the Prover and Bob B, the Verifier A B: x = r 2 mod n A B: e { 0,1} A B: y = r * s e mod n is y 2 = x * v e? A random modulus n, product of two large prime numbers p and q generated by a trusted party and made public Prover chooses secret s relatively prime to n Prover computes v = s 2 mod n, where v is the public key

26 Fiat-Shamir Identification Protocol Alice chooses a random number r (1 r n-1) Sends to Bob x = r 2 mod n (commitment) Bob randomly sends either a 0 or a 1 ( e { 0,1}) as his challenge Depending on the challenge from Bob, Alice computes the response as y = r if e = 0 or y = r*s mod n Bob accepts the response upon checking y 2 x * v e mod n

27 Fiat-Shamir Identification Protocol

28 Fiat-Shamir Identification Protocol After many iterations, with a very high probability Bob can verify Alice s identity Alice s response does not reveal the secret s (with y = r or y = r* s mod n) An intruder can prove Alice s identity without knowing the secret, if he knows Bob s challenge in advance: Generate random r If expected challenge is 1, send x = r 2 /v mod n as commitment, and y = r as response If expected challenge is 0, send x = r mod n as commitment Probability that any Intruder impersonating the prover can send the right response is only ½ Probability reduced as iterations are increased Important - Alice should not repeat r

29 Cave Example The door can only be opened with a magic word. Alice claims that she knows the word and that she can open the door. Bob and Alice are at pint 1. Alice enters eh case and reaches the point Alice chooses to go either right or left. After Alice disappears, Bob comes to point 2 and asks Alice to come up from either the right or left. 2. if Alice knows the magic word, she will come up from the right direction. If she does not know the word, she comes up from the right direction with ½ probability. 3. The game will be repeated many times.

30 Feige-Fiat-Shamir Protocol Alice A, the Prover and Bob B, the Verifier A random modulus n, product of two large prime numbers p and q generated by a trusted party and made public Prover chooses k secrets s 1, s 2,, s k relatively prime to n Prover computes k different numbers, v 1, v 2,, v k such that v i = s i 2 mod n, where v i is the public key and s i is the private key

31 Feige-Fiat-Shamir Protocol Alice chooses a random number r (1 r n-1) Sends to Bob x = r 2 mod n (commitment) Bob randomly sends a random binary string of k-bits, b 1, b 2, b k, as his challenge Depending on the challenge from Bob, Alice computes the response as y = r * (s 1 b1 * s 2 b2 *...* s k bk ) mod n. Bob accepts the response upon checking x = y 2 * (v 1 b1 * v 2 b2 *...* v k bk ) mod n

32 Feige-Fiat-Shamir Protocol

33 Feige-Fiat-Shamir Protocol Repeat this protocol t times, until Bob is convinced that Alice knows s 1, s 2,..., s k. The chance that Eve can fool Bob is 1 in 2 kt. The authors recommend a 1 in 2 20 chance of Eve fooling Bob and suggest that k = 5 and t = 4. The value of k and t can be increased for higher security

34 Guillou-Quisquater Protocol

35 BIOMETRICS Biometrics is the measurement of physiological or behavioral features that identify a person Biometrics measures features that cannot be guessed, stolen, or shared. Components Enrollment Authentication Techniques Accuracy Applications

36 Components Several components are needed for biometrics: Capturing devices, Processors, and storage devices.

37 Enrollment Before using any biometric techniques for authentication, the corresponding feature of each person in the community must be registered in the database. The registration process is referred to as enrollment.

38 Authentication Two type of scheme: Verification 1-to-1 matching of biometric feature Requires unique ID Identification 1-to-n matching of biometric feature Used to identify unknown entity Very expensive operation

39 Technique

40 Accuracy Varies from scheme to scheme Fingerprint is now very standardized Example: WSQ format Face recognition is available in smartphone! Cost varies based on scheme Accuracy still not 100%

41 Applications Attendance Banking Access Control Law Enforcement Mobile Phone Registration