Authentication Approaches over Internet

dashingincestuousSecurity

Feb 22, 2014 (3 years and 5 months ago)

62 views

Authentication Approaches
over Internet

Jia Li

jl3272@columbia.edu


What is authentication?


Authentication is a process by which the
identity of a user accessing a network or
other source of information is verified.



Why do we need authentication?


To prevent sniffers from counterfeiting the
identity of legal users


Authentication approaches




Username/password Authentication




Device
-
based Authentication




USB
-
Key Authentication




Dynamic Password Authentication





Biometric Authentication

Username/password Authentication


Basic mechanism


PAP (password Authentication Protocol)


Client
Server
ACK
/
NAK
Password
(
Plaintxt
)
Client
Server
Password
Time
Password
Password
Password
ACK
Password is
repeatedly
Sent until a
response is
received

Obvious disadvantages





Passwords are exposed over Internet
when transmitted from client to server





Sniffer can easily steal and read the
password, and then counterfeit as the user to
send password to the server





A

way to prevent plaintext password?



Improved mechanism


Encrypt passwords by hash function and random variable





Hash Function




takes in arbitrary block of data and returns a fix
-
sized
bit string as hash value




one
-
way function: extremely difficult to inverse the
function and to get its original input data from hash value




impossible to modify the original data without
changing its hash value




there are never two messages having the same hash
value



Authentication Process


client: send passwords encrypted by
hash function to the server


server: compute the expected hash
value and compare it with the received
hash value from the client



Advantages



passwords are not exposed directly over
Internet



sniffer cannot know the original password
even if he catches the hash value



dis
advantage


Sniffers can still counterfeit user’s identity by
sending the hash value it caught to the server
without knowing the real password


(because password remains the same)






Random variable



To make password different and unique every
time it is sent to the server



0
1
1
0
0
1
0
...
1
0
1
1
1
0
Suppose this is the real password
(
fixed
)
0
0
1
1
...
1
0
0
Suppose this is the random
variable
(
changeable
)


Advantage


Sniffers cannot use the information he
captured in the previous communication to
login as the user because password is
changeable.



Disadvantage


If final password is still transmitted in plain
text, the random variable will not make any
sense, because real password is fixed in
every different password.




P
roblem solved by combination




Combination of hash function and
random variable




password is changeable




sniffers cannot get original password from
hash value

Password Hash
(
if MD
5
,
128
bits
;
if SHA
1
,
160
bits
)
Random Variable Hash
(
if MD
5
,
128
bits
;
if SHA
1
,
160
bits
)
Device
-
based Authentication


USB
-
key authentication




Device




a hardware device with USB interface




stores user’s key in memory disk (PIN)




memory space cannot be read or written
directly






Authentication Process
(impulse/response)




Authentication requirement
A random series of numbers
(
impulse
)
Hash value
(
response
)
Authentication response
(
ACK
/
NAK
)
Client
(
USB
-
key
)
Server
Client
(
USB
-
key
)
Server
Time
Authentication requirement
A random series of numbers
(
impulse
)
Hash value
(
response
)
ACK
/
NAK
1.
User enters PIN
on web page

2.
USB
-
key applies
MD5 to the
random series
numbers and
user’s key

3.
Generate a hash
value




Advantages




user’s key is neither exposed onto Internet nor
stored in the computer




the value in every response is different




Disadvantage


Since PIN is still entered via website, sniffers can
get it easily. Once the user failed to push out
USB
-
key in time, sniffers can use PIN they caught
to get the authority of the USB
-
key.




Dynamic password authentication



Device




A small hardware having a LCD with its
own battery




password generation chip in it can apply
a special algorithm to device ID, user’s key
and the present time, and then display the
password on LCD



Authentication process


Generated
password
Generated password
ACK
/
NAK
Client
Server
Client
Server
Time
Authentication requirement
(
generated password
)
ACK
/
NAK


Advantages




device ID and user’s key is neither exposed over
Internet nor stored in the computer




the generated password is changeable every
minute




Disadvantage


The synchronization mechanism should perform
very well so that the result computed by the server can
correspond to the received value.

Biometric Authentication


What is biometric authentication


Biometric authentication is a kind of technique
that authenticates user’s identity by using
everyone’s unique biological characteristics,
such as face, fingerprint, retina, voice and
even action postures.




Most reliable because it is unique and
cannot be counterfeited



Fingerprint
-

an ideal way for biometric
authentication




unique, guarantee the one
-
to
-
one reflection between
user and authentication information




stable and will not change easily, guarantee the long
time validity of the authentication information




can be scanned quickly and conveniently




ten different fingerprints, increase the level of security




the authentication information is not necessary the
integrated fingerprint image but can be some essential
features.
S
ave storage space in the server.


Authentication process


scanner
client
server
Digital presentation of

features
ACK
/
NAK
1.
Scanner
captures the
image of
fingerprint

2.
The image is
put into feature
extraction
template

3.
Full image is
translated into
reduced
presentation of
major features


Advantage


Reliable!




Disadvantage




device costs much




the installation and portability of the device
on the client is a problem




getting the sample of biometric characters
is sometimes not convenient

Conclusion


Security Level
plaintxt password
Extremely Low
MD5
one-way algorithm
sniffers can login without
knowing password; has
been decoded
High
SHA1
one-way algorithm
sniffers can login without
knowing password
Higher
authenticatio
information randomly
change
password exposure
Low
one-way algorithm;
randomly chageable
password
Highest
authenticatio
information
dynamicly change
synchronization
mechanism have to be
perfect
Higher
Highest
Device-based
Biometric
Unique; cannot be lost, stolen, forgotten, faked
Complexity and cost of device; intallation and
portability problem; not convenient
Dynamic password
hash function
High
PIN is entered on
website
do not need to remember
password; password will not
exposed over internet or
stored in computer; raw
password changeable; not
easily attacked
troublesome to carry
device; easily lost;
cost of the device;
have to install
software
two-factor
authentication
random variable
easily stolen; easily
guess; easily
forgotten; cost of
support
Disadvantages
USB-key
combination of HF & RV
Authentication Approach
Advantages
least expensive; No
hardware; No software;
Users can change passwords
as they want
Username / password
basic mechanism


Thank you!