Network Security - Authentication - Computer Science
eletro
authentication_lesson_1.pdf
Published on IST 554 (https://online.ist.psu.edu/ist554)
Lesson 1: Understanding Authentication In general, authentication is a process to confirm the identity of a user requesting service or a message sender, and also the integrity of specific information.
Authentication is common in the real world (e.g., you need a photo ID to board an airplane). A more complicated example is online banking. Suppose you need to transfer a certain amount of money from one account to another on the Internet. You need to first prove your identity before you are allowed to transfer your money, thus you confirm the authenticity of the transaction.
In computer security, authentication is handled electronically. The most basic technology involves a username (or user ID) and a password for identity authentication. Now this procedure has evolved to include other methods to confirm identity, such as biometrics and smart cards. Even stronger authentication technologies such as Kerberos have also become popular.
This lesson describes basic concepts of identity authentication and message authentication. It then briefly discusses three different techniques to prove a user's identity. It ends with the discussion of different models used by computer systems or participants of communications to perform authentication.
Lesson objectives:
Explain identity authentication and provide an example. Explain message authentication and provide an example. Discuss different authentication methods for proving identity. Describe different authentication models.
Identity Authentication Identity authentication is a process to verify whether someone is authorized to complete the transaction they intend. This is commonly confirmed via user ID and passwords in most of today's computer systems.
To initially access a system, a user registers, using a unique ID and password. Subsequently, when the user attempts to access the system, the system checks to make sure the user ID and password are registered and acceptable. In the real world, this is equivalent to providing a confirmation number for registration when checking into a hotel. Hotel management is ensuring that the reservation is being released to the correct guest.
Figure 5.1: User Identity Authentication
Let's look at an example, as shown in Figure 5.1, in which a user, Alice, wishes to use her computer (client) to update a file of her own on a remote file server. The server will first make sure the user is, in fact, Alice, before it allows the update.
The process generally works in the following manner:
1. Alice starts a client program on her computer such as telnet or ftp. 2. The client program prompts for her user ID and password.
Contact Webmaster
© Copyright 2013 College of IST
Page 1 of 6
Published on IST 554 (https://online.ist.psu.edu/ist554)
3. Alice fills in her unique credentials (user ID and password). 4. The client program encodes or prearranges the credentials and sends it to the remote server. 5. The remote server compares the received credentials to its own copy of user accounts and
grants Alice access to the resources if Alice has provided the correct ID and password.
This process is referred to as one-way authentication and it assumes that the remote computer is trustable and requires only Alice to prove her identity to the server. However, Alice may want to verify the identity of the server before she works with private data. Thus, the authentication system needs a way for the client program to authenticate the server before communication starts. This requires two-way authentication, or mutual authentication. Kerberos authentication system supports mutual authentication. This will be discussed in more detail later.
Message Authentication
Figure 5.2: Message Authentication Example
Message authentication provides two services: message origin authentication and message content authentication. Message authentication verifies that the received message comes from the alleged sender as well as provides integrity assurance that the message has not been altered or replaced in transit.
Figure 5.2 illustrates an example where message authentication is desirable. In the example, Alice wants to send John a message. Because the message has to travel across an open public network (e.g., the Internet), John would want to make sure that the received message is truly from Alice and that the message has not been altered on its way from Alice to John.
With the development of networking, message authentication has become more critical. When a sender sends a message across the Internet, outside parties may intercept the message and alter it, substitute an entirely different message for the original message, or even insert messages of their own. In these circumstances, it is critical that the intended recipient has tools to determine the source of the message and the integrity of the message. Digital signature technology, based on public-key cryptography, provides this type of message authentication. We will discuss this in more detail later.
Identity Authentication Methods
Contact Webmaster
© Copyright 2013 College of IST
Page 2 of 6
Published on IST 554 (https://online.ist.psu.edu/ist554)
Authentication is generally based on one of the following three factors:
Who you are (e.g., fingerprint, face, voice, retinal pattern). What you know (e.g., a password, your mother's maiden name, your birthday). What you own (e.g., ID card, security token).
The key factor in identity authentication is the proof offered by an individual to confirm his or her identity. Sometimes a combination of different factors is used, e.g., an ATM card and a Personal Identification Number (PIN) or a security token and a password. This is referred to as a two-factor authentication method.
The following three methods for identity authentication depend on different authentication factors:
ID/Password
The simplest method of authenticating identity is to use an ID and password combination, which is based on confidential personal, knowledge. Other people may know a user's ID, but only the user knows the password. The user provides their ID and secret password upon request when interacting with a server or a recipient.
The server is programmed to save a copy of the user's password so it can compare the received password with its own copy. Passwords are often stored in an encrypted form so that a compromised password file does not reveal passwords directly. The problem with a password-based system is that passwords can be easily stolen or intercepted in a network environment, or a user might not keep their password secret. This threatens the security of the network, allowing hackers access to a system or unauthorized internal transactions.
Biometrics Method
Biometrics authentication technology determines the identity of an individual by comparing a person's physiological features, such as voice pattern, fingerprint, facial pattern, iris, etc., with what has been previously recorded for that person.
Using biometrics, a person initially registers with the system using one or more physiological measurements that are turned into numerical data via statistical and mathematical methods. The user's login is successful if the features match what the system originally has recorded.
Contact Webmaster
© Copyright 2013 College of IST
Page 3 of 6
Published on IST 554 (https://online.ist.psu.edu/ist554)
Biometrics relieves the user from having to choose and memorize different passwords. However, biometrics is not secure unless combined with cryptography because the measurement converted from physical features is still recorded numerically, thus having the same vulnerabilities as other numerical data. From this aspect, the Smart Card Method is more secure and an efficient complement of biometrics.
Smart Cards
Smart cards technology is used to provide strong security protection and authentication. It is based on all three authentication factors.
A smart card is a credit-card-sized plastic card embedded with a microprocessor that can be programmed with specific information about the card owner, such as personal biometric data, medical history, and cryptographic keys for authentication, etc. The microprocessor has both computational power and memory capacity. It processes data and grants other devices access to the data on the card.
In the smart card's authentication system, a smart card is treated as an active computing device. The card communicates with the host, that then determines if the card presents the appropriate credentials or requirements to conduct a transaction in the system. The process confirms identity and authenticates the cardholder.
Smart cards can potentially be applied to many areas, such as credit card transactions, banking, government identification, and so on. For example, in Germany, smart cards are used for health insurance. Smart cards improve the convenience of security transactions. They provide tamper-proof storage of user identity and support secure exchange of data throughout virtually any type of network.
WARNING: Some information in the smart card can be vulnerable to attack by hackers, and attacks can happen when data is being transmitted between the card and the host.
Related Links Card Technology [1]: A bimonthly magazine that deals with smart card, payment, and identification technologies.
International Biometric Group [2]: A biometric solutions provider, as well as conference organizer and a leader in the field.
Biometric Consortium [3]: The biometric consortium dealing with research, development, testing, evaluation, and application of biometric technology.
Biometrics.gov [4]: A government-sponsored database on biometric information and reports.
Authentication Models In general, all authentication systems are based on using secret information (e.g., passwords or cryptographic key) known only to, or possessed by, participants of communications to determine identities and message integrity. Authentication methods focus on how to represent a participant's identity, whereas authentication models are concerned with how two parties in a communication interact and prove each other's identity.
The following authentication models use password-based authentication: basic authentication,
Contact Webmaster
© Copyright 2013 College of IST
Page 4 of 6
Published on IST 554 (https://online.ist.psu.edu/ist554)
Kerberos protocol, and public key cryptography.
Basic Authentication
A basic authentication scheme is based on the model that the user supplies an ID and password to the server in order to be authenticated. The server validates the user ID and password before authorizing the request. There are no other authentication parameters involved.
Basic authentication assumes that the connection between the client and the server is safe, thus no encryption is used and all transactions are conducted in clear text. This is vulnerable to eavesdroppers monitoring network traffic with sniffing tools. Captured passwords can be used later by a hacker to illegally log on to the server. This is known as a replay attack. A better approach is to encrypt the password before sending it to the server for verification.
The one-time password (OTP) system is designed to eliminate the possibility of replay attack. In an OTP system, a series of one-time passwords are generated, but only one of them is used each time, and it should never be used again. The OTP system will be explored later.
Kerberos Protocol
Kerberos is a network authentication protocol that supports more robust and trustworthy authentication in highly networked and distributed environments. It relies on the use of the symmetric cryptography technique (i.e., DES) to protect authenticating information as it travels across the network. In the Kerberos system, the secret information used for authentication is never transmitted unencrypted and is never seen by a recipient. Therefore, it can prevent password attacks such as eavesdropping, replay attacks, and ensure data integrity. More will be discussed about Kerberos later.
Public-Key Cryptography
Public-key cryptography is a form of cryptography that allows users to communicate securely through the use of a public key and private key pair. The private key is kept secret while the public key is made publicly available.
The following are some applications using public key cryptography:
Public-key encryption: Keeps a message unreadable from anyone who does not possess a correct private key. Public-key one-time password system: Generates one-time passwords based on a method known as challenge response. Public-key digital signature: Allows anyone to validate that a message was created with a specific private key.
Lesson Wrap-Up Access to most computer systems today is controlled by using an authentication procedure before access is allowed. Authentication technology is an important component in an application's security model. It provides reliable verification of the identity of a person and the origin and integrity of a communication.
Different companies have different security requirements for authentication. It is sensible to use a stronger and more secure authentication solution to protect mission-critical services and trade secrets. In this lesson, we have learned that authentication can be achieved using different methods and models. We will discuss these methods and models in more detail in the next few lessons.
After reading this lesson, you should be able to:
Contact Webmaster
© Copyright 2013 College of IST
Page 5 of 6
Published on IST 554 (https://online.ist.psu.edu/ist554)
Explain identity authentication and provide an example. Explain message authentication and provide an example. Discuss different authentication methods for proving identity. Describe different authentication models.
Source URL: https://online.ist.psu.edu/ist554/lesson1understanding
Links: [1] http://www.cardtechnology.com/ [2] http://www.biometricgroup.com/ [3] http://www.biometrics.org/ [4] http://www.biometrics.gov/
Powered by TCPDF (www.tcpdf.org)
Contact Webmaster
© Copyright 2013 College of IST
Page 6 of 6
