Authentication Overview of Authentication systems 1
Approaches for Message Authentication Authentication is process of reliably verifying the identity of someone. Authentication Schemes 1. Password-based authentication. 2. Address-based authentication. 3. Cryptographic authentication. 2
Password-Based Authentication It s a secret quantity (password) that you state to prove you know it. Alice I m Alice, the password is abc Bob The big problem with this authentication scheme is Eavesdropping. An example Some older cell phones transmit the (telephone number +password ) when making a call. If the password corresponds to the telephone number, the phone company lets the call go and bills the caller. The problem anyone can eavesdrop on cell phone and clone such a phone. 3
Password-Based Authentication Offvs. On-line password guessing 1. On-Line attack One way of guessing the passwords is simply to type passwords at the system that is going to verify the password. To prevent : system can make it impossible to guess too many pwd. Example : the ATM eat your card after 3 incorrect pwd. 2. Off-line attack (Dictionary Attack) An intruder can capture a quantity X that is derived from a pwd in a known way, then a brute force is applied to guess the pwd. 4
Password-Based Authentication Storing user pwd. Pwd is stored in one of the following forms 1. User s authentication information is individually configured into every server that user will use. 2. in authentication storage node: which will store user information and servers retrieve tat information when they want to authenticate that user. 3. Authentication facilitator node : store user s information. a server that wants to authenticate that user sends information received from that user to the Authentication facilitator node. this node does the authentication and tell the server yes or no. 5
Password-Based Authentication Storing user pwd. In (2) and (3) its important that the server to authenticate storage and facilitator. Its undesirable to have database of unencrypted passwords. Someone could capture the database by breaking into the database node. Alternatives : 1. To store hashes of passwords. UNIX & VMS do that. 2. To encrypt stored password so that the server decrypt a given password when needed). Encryption done with node s key. 3. Hybrid : its possible to combine both techniques by encrypting a database of hashed passwords. 6
Address-Based Authentication The identity of the source can be inferred based on the network address from which the packet arrive. Each computer will store the information which specifies accounts on other computers that should have access to its resources. Example : Account name : Smith, in machine that has network address N is allowed to access computer C. If request arrive from address N on behalf of Smith, then C will honor the request. 7
Address-Based Authentication Account mapping scheme 1. Machine B might have a list of network address of equivalent machines. If machine A is listed, then any account name on A is equivalent to same account name on B. Machines A B Accounts John_ Smith Equivalent John_ Smith Problem is that users has to have identical account name in all systems. 8
Address-Based Authentication Account mapping scheme Unix implements two account mapping scheme hosts.equiv and.rhosts files list hosts and users that are trusted by the local host when a connection is made 1. First Scheme: A global file /etc/hosts.equiv contains trusted remote hosts. 2. 2 nd Scheme: In each user s home directory, a per-user.rhosts file contains host-user <computer,account>pairs. 9
3.Cryptogrpahic -Based Authentication Much more secure than previous methods. Authentication done using 1. Secret key encryption Alice and Bob both know secret key K AB. Alice picks a random number (challenge) r A. Bob picks a random number (challenge) r B. r A 10 Alice E( r A, K AB) r B E(r B, K AB) Bob
3.Cryptogrpahic -Based Authentication 2. Public key encryption Alice will pick r Alice encrypt r using Bob s public key. Bob ) decrypt it using his private key and sends r back to alice. Alice E( r, e B ) r=d(e( r, e B ) d B ) Bob 11
3.Cryptogrpahic -Based 3. Hash Authentication Alice and Bob both know secret key K AB. Alice picks a random number (challenge) r A Bob picks a random number (challenge) r B. r A Alice H( r A K AB) r B H(r B, K AB) Bob 12 12
Trusted Intermediaries If network is fairly large (n nodes) then each computer needs to know (n-1) keys. Help is needed 1. Key Distribution Center (KDC) A trusted node that knows keys of all nodes. If a new node is added, then KDC need to be configured with a key for that node. 2. Certification Authorities (CAs). Trusted node that generate certificates which signed a message specifying a sender and their public key. 13
Trusted Intermediaries If network is fairly large (n nodes) then each computer needs to know (n-1) keys. Help is needed 1. Key Distribution Center (KDC) A trusted node that knows keys of all nodes. If a new node is added, then KDC need to be configured with a key for that node. 2. Certification Authorities (CAs). Trusted node that generate certificates which signed a message specifying a sender and their public key. 14
Trusted Intermediaries Certification Authorities (CAs). Create token (message) containing Identity of principal (here, Alice) Corresponding public key Timestamp (when issued) Other information (perhaps identity of signer) signed by trusted authority (here, Cathy) C A = { e A Alice T } d C 15
X.509 Certificates digitally singed Version Serial number Signature algorithm ID Issuer Validity period Subject Subject public key Issuer unique ID (op) Subject unique ID (op) Extensions (optional) CA digital signature 16