7/31/2019 Kaliski Mutual Authentication
1/20
Stronger Authentication: The Feeling is Mutual
Burt Kaliski, RSA Laboratories
December 6, 2005
7/31/2019 Kaliski Mutual Authentication
2/20
Introduction
User authentication is growing in importance in e-commerce Many organizations are calling for stronger authentication
mechanisms than the typical password-based schemes
e.g., FFIEC guidance on authentication in Internet banking (Oct.
2005); FSTC Better Mutual Authentication project
As these efforts illustrate, authentication strength depends onmore than just the factors
And the authentication story depends on more than just theuser
7/31/2019 Kaliski Mutual Authentication
3/20
User Authentication Model
User Agent Resource
Users Devices
Auth.Factors
Evidence Auth.Protocol
Forward Authentication Steps
User and Users Devices presentEvidenceto Agentdemonstratingpossession ofAuthentication Factors
Agent conveys Evidence to Resourcein
Authentication Protocol
7/31/2019 Kaliski Mutual Authentication
4/20
Variations on the Model
Local authentication:User authenticates directly to resource,without agent e.g.: Log into PC; Unlock smart card
Authentication server: User authenticates once toauthentication server, which relays ticketorauthenticationassertionto resource
e.g.: Kerberos; Identity providers
Validation server: Resource relies on separate validation serverfor part or all of authentication decision e.g.: Credential federation
Contextual factors: Where & when did the protocol originate?
7/31/2019 Kaliski Mutual Authentication
5/20
Describing an Authentication Mechanism
An authentication mechanism is a ceremony* involving: Selected authentication factors
Particular evidence about those factors; and a
Specific protocol for conveying the evidence
Simple authentication mechanismhas one resource, oneauthentication decision
Ceremony = Carl Ellison / Jesse Walker
model for protocols involving users
7/31/2019 Kaliski Mutual Authentication
6/20
Composing Authentication Mechanisms
Compound authentication mechanismcombines two or moremechanisms more than one authentication decision
Recursive composition:One mechanism enables access tofactors of another
e.g.: Unlock smart card with PIN, authenticate to resource withsmart card
smart card = (local) resource for first decision
Sequential composition:One mechanism adds to another e.g.: Authenticate to resource with password, then later withanswers to life questions; Risk-based approaches
7/31/2019 Kaliski Mutual Authentication
7/20
Example Factors
Something you know: Password / PIN
Knowledge-based authentication
CognometricsTM (PassFacesTM)
Something you have: One-time password token
Smart card / USB token
Mobile phone
Something you are / can do: Biometrics
7/31/2019 Kaliski Mutual Authentication
8/20
Example Factors & Evidence
Something you know: Password / PIN Password / PIN
Knowledge-based authentication Answer
CognometricsTM (PassFacesTM) Image selection
Something you have: One-time password token One-time password
Smart card / USB token Signature
Mobile phone Voice confirmation
Something you are / can do: Biometrics Fingerprint
7/31/2019 Kaliski Mutual Authentication
9/20
Example Authentication Protocols
Agent can send evidence directly to resource over securechannel e.g.: Password over SSL/TLS; Simple EAP mechanisms
Or, can prove knowledge of evidence e.g.: MS-CHAP
e.g.: Zero-knowledge password protocols: EKE, SPEKE, etc.
Agent can transform evidence to associate with resourcecontext
e.g.: Password hashing; EAP-POTP
Can also combine evidence, perhaps with factors held locally
7/31/2019 Kaliski Mutual Authentication
10/20
Security Challenges
Corrupted agentcan misuse evidence Rogue resourcecan also misuse evidence, unless agent runs
strong protocol
Man-in-the-middleis also a threat, depending on protocol
Even if mechanism protects user authentication, attacker maybe able to mislead the user into disclosing othersensitiveinformation
Key question: How does user authenticate the resource andthe agent?
7/31/2019 Kaliski Mutual Authentication
11/20
Resource Authentication Model
User Agent Resource
Users Devices
Auth.Factors
Evidence Auth.Protocol
Reverse Authentication Steps
Resource demonstrates authenticity toAgent in Authentication Protocol
Agent presents Evidence of authenticity
to User and Users Devices
7/31/2019 Kaliski Mutual Authentication
12/20
Resource Authentication Examples
1.Resource PKI Resource authenticates to agent with certificate
Agent presents evidence via lock icon, certificate status
But how does user know lock is actually from agent? Also,
certificate trust lists can easily be confused
2.Zero-knowledge protocols Resource authenticates via ZK proof of knowledge of evidence
Reverse hashing is a weaker variant
Agent presents evidence via visual indicator
But how does user know indicator is actually from agent, or that
protocol is even running?
7/31/2019 Kaliski Mutual Authentication
13/20
Resource Authentication Examples (contd)
3. Next one-time password Resource authenticates to user by providing next one-time
password (assumes user has OTP device as one factor)
Agent presents next OTP directly to user
But only authenticates that resource is presentdoesnt detect
man-in-the-middle
4. Dynamic security skins (Rachna Dhamija)
Resource authenticates to agent with certificate
Agent presents resource identifier via pattern based on hash of
resource identifier
But again, how does user know that pattern is from agent?
7/31/2019 Kaliski Mutual Authentication
14/20
Resource Authentication Examples (contd)
5. Watermark or user-selected image Resource authenticates to user by providing a previously
registered watermark or image
Agent presents picture directly to user
Again, doesnt detect man-in-the-middle
7/31/2019 Kaliski Mutual Authentication
15/20
Summary: Mutual User Authentication
Each approach to resource authentication has pros and cons interms of usability, security against various threats
Agent needs a trustworthy user interface*, otherwise user cantrely on evidence presented
Resource should enable some evidence that the agent canpresent to user
Rapport-buildingis important if user cant be sure that agent isrunning strong protocols
Contextual factors provide a foundation
* See Trustworthy Interfaces for Passwords
and Personal Information workshop
(crypto.stanford.edu/TIPPI)
7/31/2019 Kaliski Mutual Authentication
16/20
Related Example: RFID Tag Authentication
Radio-frequency ID tags tiny chips with antennas are usedto track inventory, and increasingly to authenticate items e.g.: Passports, containers, etc.
Authentication model is similar to user authentication: User / Devices = RFID tag
Agent = Reader
Resource = Back-end system
Security challenges are also similar plus, rogue readercanpotentially read without permission
How does RFID tag authenticate the reader?
7/31/2019 Kaliski Mutual Authentication
17/20
Reader Authentication Examples
1. Reader / back-end PKI Reader or back-end authenticates to tag with certificate
But hard for typical tags to do public-key crypto operations
2. Symmetric crypto Reader authenticates with shared symmetric key
But how to identify which key without enabling tracking?
3. One-time identities (e.g., Ari Juels minimalist crypto) Reader, tag authenticate with one-time identifiers and PIN
4. Reader identification Reader broadcasts its authorization for the auditors; tag checks
that authorization is present, but doesnt verify
7/31/2019 Kaliski Mutual Authentication
18/20
Conclusions
All parties need assurance that the others are authentic boththe user or tag, and the system
Obtaining this assurance is an important challenge in protocoldesign whether for e-commerce or physical objects
Authentication is more than just about factors the evidence,the protocols and the user interface all affect security
7/31/2019 Kaliski Mutual Authentication
19/20
Contact Information
Burt KaliskiRSA [email protected]
www.rsasecurity.com/rsalabs
mailto:[email protected]:[email protected]7/31/2019 Kaliski Mutual Authentication
20/20