Post on 23-Feb-2016
description
transcript
Le Trong Ngoc
Security FundamentalsEntity Authentication Mechanisms
4/2011
1.2
4-1 Continued
Entity authentication is a technique designed to let one party prove the identity of another party. An entity can be a person, a process, a client, or a server. The entity whose identity needs to be proved is called the claimant; the party that tries to prove the identity of the claimant is called the verifier.
1.3
4-1 Continued
There are two differences between message authentication (data-origin authentication) and entity authentication, discussed in this chapter.
1) Message authentication might not happen in real time; entity authentication does.
2) Message authentication simply authenticates one message; the process needs to be repeated for each new message. Entity authentication authenticates the claimant for the entire duration of a session.
1.4
4-1 Continued
Something known
Something possessed
Something inherent
1.5
4-2 PASSWORDS
The simplest and oldest method of entity authentication is the password-based authentication, where the password is something that the claimant knows.
1.6
4-2 Continued
First Approach
User ID and password file
1.7
4-2 Continued
Hashing the password
Second Approach
1.8
4-2 Continued
Third Approach
Salting the password
1.9
4-2 Continued
Fourth ApproachIn the fourth approach, two identification techniques are combined. A good example of this type of authentication is the use of an ATM card with a PIN (personal identification number).
1.10
4-2 Continued
One-Time PasswordFirst ApproachIn the first approach, the user and the system agree upon a list of passwords.
Second ApproachIn the second approach, the user and the system agree to sequentially update the password.
Third ApproachIn the third approach, the user and the system create a sequentially updated password using a hash function.
1.11
4-2 Continued
Lamport one-time password
1.12
4-3 CHALLENGE-RESPONSE
In password authentication, the claimant proves her identity by demonstrating that she knows a secret, the password. In challenge-response authentication, the claimant proves that she knows a secret without sending it.
1.13
4-3 Continued
In challenge-response authentication, the claimant proves that she knows a secret without sending it to
the verifier.
The challenge is a time-varying value sent by the verifier; the response is the result
of a function applied on the challenge.
1.14
4-3 Continued
First Approach
Nonce challenge
1.15
4-3 Continued
Second Approach
Timestamp challenge
1.16
4-3 Continued
Third Approach.
Bidirectional authentication
1.17
4-3 Continued
Instead of using encryption/decryption for entity authentication, we can also use a keyed-hash function (MAC).
Keyed-hash function
Using Keyed-Hash Functions
1.18
4-3 Continued
First ApproachUnidirectional, asymmetric-key authentication
Using an Asymmetric-Key Cipher
1.19
4-3 Continued
Second Approach
Bidirectional, asymmetric-key
1.20
4-3 Continued
Using Digital SignatureFirst Approach
Digital signature, unidirectional
1.21
4-3 Continued
Second Approach
Digital signature, bidirectional authentication
1.22
4-4 ZERO-KNOWLEDGE
In zero-knowledge authentication, the claimant does not reveal anything that might endanger the confidentiality of the secret. The claimant proves to the verifier that she knows a secret, without revealing it. The interactions are so designed that they cannot lead to revealing or guessing the secret.
Fiat-Shamir ProtocolFeige-Fiat-Shamir ProtocolGuillou-Quisquater Protocol
1.23
4-4 Continued
Fiat-Shamir protocol
1.24
4-4 Continued
Cave Example
1.25
4-4 Continued
Feige-Fiat-Shamir protocol
1.26
4-4 Continued
Guillou-Quisquater protocol
1.27
4-4 Continued
Guillou-Quisquater protocol
1.28
4-5 BIOMETRICS
Biometrics is the measurement of physiological or behavioral features that identify a person (authentication by something inherent). Biometrics measures features that cannot be guessed, stolen, or shared.
ComponentsEnrollmentAuthenticationTechniquesAccuracyApplications
1.29
4-5 Continued
Several components are needed for biometrics, including capturing devices, processors, and storage devices..
Components
1.30
4-5 Continued
Before using any biometric techniques for authentication, the corresponding feature of each person in the community should be available in the database. This is referred to as enrollment.
Enrollment
1.31
4-5 Continued
Authentication
Verification
Identification
1.32
4-5 Continued
Techniques
1.33
4-5 Continued
Physiological Techniques
Fingerprint
Iris
Retina
Face
Hands
Voice
DNA
1.34
4-5 Continued
Behavioral Techniques
Signature
Keystroke
1.35
4-5 Continued
Accuracy
False Rejection Rate (FRR)
False Acceptance Rate (FAR)
1.36
4-5 Continued
Several applications of biometrics are already in use. In commercial environments, these include access to facilities, access to information systems, transaction at point-ofsales, and employee timekeeping. In the law enforcement system, they include investigations (using fingerprints or DNA) and forensic analysis. Border control and immigration control also use some biometric techniques.
Applications