Le Trong Ngoc

Security Fundamentals

Entity Authentication Mechanisms

4/2011

1.2

4-1 Continued

Entity authentication is a technique designed to let one party prove the identity of another party. An entity can be a person, a process, a client, or a server. The entity whose identity needs to be proved is called the claimant; the party that tries to prove the identity of the claimant is called the verifier.

1.3

4-1 Continued

There are two differences between message authentication (data-origin authentication) and entity authentication, discussed in this chapter.

1) Message authentication might not happen in real time; entity authentication does.

2) Message authentication simply authenticates one message; the process needs to be repeated for each new message. Entity authentication authenticates the claimant for the entire duration of a session.

1.4

4-1 Continued

Something known

Something possessed

Something inherent

1.5

4-2 PASSWORDS

The simplest and oldest method of entity authentication is the password-based authentication, where the password is something that the claimant knows.

1.6

4-2 Continued

First Approach

User ID and password file

1.7

4-2 Continued

Hashing the password

Second Approach

1.8

4-2 Continued

Third Approach

Salting the password

1.9

4-2 Continued

Fourth ApproachIn the fourth approach, two identification techniques are combined. A good example of this type of authentication is the use of an ATM card with a PIN (personal identification number).

1.10

4-2 Continued

One-Time PasswordFirst ApproachIn the first approach, the user and the system agree upon a list of passwords.

Second ApproachIn the second approach, the user and the system agree to sequentially update the password.

Third ApproachIn the third approach, the user and the system create a sequentially updated password using a hash function.

1.11

4-2 Continued

Lamport one-time password

1.12

4-3 CHALLENGE-RESPONSE

In password authentication, the claimant proves her identity by demonstrating that she knows a secret, the password. In challenge-response authentication, the claimant proves that she knows a secret without sending it.

1.13

4-3 Continued

In challenge-response authentication, the claimant proves that she knows a secret without sending it to

the verifier.

The challenge is a time-varying value sent by the verifier; the response is the result

of a function applied on the challenge.

1.14

4-3 Continued

First Approach

Nonce challenge

1.15

4-3 Continued

Second Approach

Timestamp challenge

1.16

4-3 Continued

Third Approach.

Bidirectional authentication

1.17

4-3 Continued

Instead of using encryption/decryption for entity authentication, we can also use a keyed-hash function (MAC).

Keyed-hash function

Using Keyed-Hash Functions

1.18

4-3 Continued

First Approach

Unidirectional, asymmetric-key authentication

Using an Asymmetric-Key Cipher

1.19

4-3 Continued

Second Approach

Bidirectional, asymmetric-key

1.20

4-3 Continued

Using Digital Signature

First Approach

Digital signature, unidirectional

1.21

4-3 Continued

Second Approach

Digital signature, bidirectional authentication

1.22

4-4 ZERO-KNOWLEDGE

In zero-knowledge authentication, the claimant does not reveal anything that might endanger the confidentiality of the secret. The claimant proves to the verifier that she knows a secret, without revealing it. The interactions are so designed that they cannot lead to revealing or guessing the secret.

Fiat-Shamir ProtocolFeige-Fiat-Shamir ProtocolGuillou-Quisquater Protocol

1.23

4-4 Continued

Fiat-Shamir protocol

1.24

4-4 Continued

Cave Example

1.25

4-4 Continued

Feige-Fiat-Shamir protocol

1.26

4-4 Continued

Guillou-Quisquater protocol

1.27

4-4 Continued

Guillou-Quisquater protocol

1.28

4-5 BIOMETRICS

Biometrics is the measurement of physiological or behavioral features that identify a person (authentication by something inherent). Biometrics measures features that cannot be guessed, stolen, or shared.

ComponentsEnrollmentAuthenticationTechniquesAccuracyApplications

1.29

4-5 Continued

Several components are needed for biometrics, including capturing devices, processors, and storage devices..

Components

1.30

4-5 Continued

Before using any biometric techniques for authentication, the corresponding feature of each person in the community should be available in the database. This is referred to as enrollment.

Enrollment

1.31

4-5 Continued

Authentication

Verification

Identification

1.32

4-5 Continued

Techniques

1.33

4-5 Continued

Physiological Techniques

Fingerprint

Iris

Retina

Face

Hands

Voice

DNA

1.34

4-5 Continued

Behavioral Techniques

Signature

Keystroke

1.35

4-5 Continued

Accuracy

False Rejection Rate (FRR)

False Acceptance Rate (FAR)

1.36

4-5 Continued

Several applications of biometrics are already in use. In commercial environments, these include access to facilities, access to information systems, transaction at point-ofsales, and employee timekeeping. In the law enforcement system, they include investigations (using fingerprints or DNA) and forensic analysis. Border control and immigration control also use some biometric techniques.

Applications