Cryptography

Unit-5: Authentication
• Authentication is the process of recognizing a user’s identity. It is the mechanism of
associating an incoming request with a set of identifying credentials. The credentials
provided are compared to those on a file in a database of the authorized user’s
information on a local operating system or within an authentication server.
• Authentication is the process of determining whether a user (or other entity) should be
allowed access to a system.
• Only Authenticated users are allowed access to system resources
• Note that authentication is a binary decision— access is granted or it is not—while
authorization is all about a more fine grained set of restrictions on access to various
system resources
❖ Authentication: Are you who you say you are?
❖ Authorization: Are you allowed to do that?

Authentication System

⎯ Technique that provides access control for systems by checking to see if a user's
credentials match the credentials in a database of authorized users or in a data
authentication server.
⎯ Authentication is any process by which a system verifies the identity of a user who
wishes to access it

Three Factors in Authentication System:

a. Something you know

⎯ Passwords/Secret key
b. Something you have
⎯ Secure tokens/smart card/ ATM card
c. Something you are
⎯ Biometrics (eg: fingerprint)

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

Password-Based Authentication
⎯ A password is a string of alphabets, numbers and special characters, which is supposed
to be known only to the entity (usually person) that is being authenticated

⎯ Prompt for user ID and Password

⎯ User enters user ID and Password
⎯ User ID and Password Validation
⎯ Authentication Result
⎯ Inform user accordingly
▪ Passwords are often stored as hash value of original password

Dictionary Attack

⎯ A type of brute force attack where an intruder attempts to crack a password-

protected security system with a “dictionary list” of common words and phrases
used by businesses and individuals
⎯ A dictionary attack is a password attack that attempts to determine a password by
trying words from a predefined list, or dictionary, of likely passwords.
⎯ Dictionary attacks often succeed because many people have a tendency to choose
short passwords that are ordinary words or common passwords, or simple variants
obtained, for example, by appending a digit or punctuation character. Dictionary
attacks are relatively easy to defeat, e.g. by using a passphrase or otherwise
choosing a password that is not a simple variant of a word found in any dictionary
or listing of commonly used passwords.

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

Best practices to defend against dictionary and brute-force attacks

Using a strong, uncommon password will make an attacker's job more difficult, but not
impossible.

Some tricks to prevent such attacks are as follows:

Slow down repeated logins: This is the simplest countermeasure available. An end user
is unlikely to notice a 0.1 second delay while logging in, but that delay would accumulate
quickly for an attacker, especially if they cannot parallelize their attempts.

Force captchas after multiple failed logins: While a user could have simply forgotten
which password they used for the account, this will help slow down an attacker
significantly. This is a great deterrent method as for modern captchas are difficult to defeat
with computers. Many captchas need manual inputs in order to be solved.

Lock accounts: Even better, a system can be configured to lock an account after a
specified number of attempted logins. Many websites will trigger additional protections for
accounts with repeated bad password attempts. In the extreme case, for example, an iPhone
will self-destruct (wipe all data) after 10 tries.

Refresh passwords: Modern systems typically require users to cycle passwords regularly.
Some corporate environments require users to change passwords every 90 days, or maybe
even every 30 days. The rationale behind this is that an attacker who is attempting a brute-
force attack against a complex password would need weeks to succeed. If the password
changes during that time frame, the attacker will need to start over. However, as many
users would confess, these strict password requirements can backfire, with users choosing
weaker, sequential passwords ('longhorns2018,’ 'longhorns2019,’ and so on). An attacker
would quickly try incrementing the password.

Challenge Response System

⎯ Challenge Response Authentication Mechanism (CRAM) is the most often
used way to authenticate actions. They are a group of protocols in which
one side presents a challenge (to be answered) and the other side must

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

present a correct answer (to be checked/validated) to the challenge in order

to get authenticated.

Following Protocol is a challenge-and-response protocol. In it, we assume that Alice is

identifying herself to Bob, and their common secret key is denoted by K. (Bob can also
identify himself to Alice, by interchanging the roles of Alice and Bob in the scheme.) In
this scheme, Bob sends a challenge to Alice, and then Alice sends Bob her response.

But this protocol is insecure (because of parallel session attack)

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

In parallel session attack Oscar impersonates Alice. The attack is depicted in following
figure

Within the first session (in which it is supposed that Oscar is impersonating Alice to Bob),
Oscar initiates a second session in which he asks Bob to identify himself. This second
session is boxed in above figure.

In this second session, Oscar gives Bob the same challenge that he received from Bob in
the first session.

Once he receives Bob’s response, Oscar resumes the first session, in which he relays Bob’s
response back to him. Thus Oscar is able to successfully complete the first session

Following is the secure challenge response protocol

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

Note: A scheme in which Alice and Bob are both proving their identities to each other is called
mutual authentication or mutual identification. Both participants are required to “accept” if a
session of the scheme is to be considered a successfully completed session.

Biometric System
(Fingerprint, face recognition, eye retina and iris recognition etc)

• Biometrics represent the "something you are" method of authentication

o “you are your key”
• There are many different types of biometrics, including such long-established methods as
fingerprints.
o Recently, biometrics based on speech recognition, gait (walking) recognition, and
even a digital doggie (odor recognition) have been developed.
• Biometrics are currently a very active topic for research

In the information security arena, biometrics are seen as a more secure alternative to
passwords. For biometrics to be a practical replacement for passwords, cheap and reliable
systems are needed. Today, usable biometric systems exist, including laptops/smartphones
using thumbprint authentication, palm print systems for secure entry into restricted
facilities, the use of fingerprints to unlock car doors, and so on. But given the potential of

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

biometrics—and the well-known weaknesses of password-based authentication—it's

perhaps surprising that biometrics are not more widely used.

An ideal biometric would satisfy all of the following:

Universal — A biometric should apply to virtually everyone. In reality, no biometric

applies to everyone. For example, a small percentage of people do not have readable
fingerprints.

Distinguishing — A biometric should distinguish with virtual certainty. In reality, we can't

hope for 100% certainty, although, in theory, some methods can distinguish with very low
error rates.

Permanent — Ideally, the physical characteristic being measured should never change.

In practice, it's sufficient if the characteristic remains stable over a reasonably long period
of time.

Collectable — The physical characteristic should be easy to collect without any potential
to cause harm to the subject. In practice, collectability often depends heavily on whether
the subject is cooperative or not.

Reliable, robust, and user-friendly — These are just some of the additional real-world
considerations for a practical biometric system. Some biometrics that have shown promise
in laboratory conditions have subsequently failed to deliver similar performance in
practice.

Two phases to a biometric system

There are two phases to a biometric system which are:

1. Enrollment phase
2. Recognition phase
o First, there is an enrollment phase, where subjects have their biometric information gathered
and entered into a database.
▪ Typically, during this phase very careful measurement of the pertinent physical
information is required. Since this is one-time work (per subject), it's acceptable if the

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

process is slow and multiple measurements are required. In some fielded systems,
enrollment has proven to be a weak point since it may be difficult to obtain results that
are comparable to those obtained under laboratory conditions.
o The second phase in a biometric system is the recognition phase. This occurs when the
biometric detection system is used in practice to determine whether (for the authentication
problem) to authenticate the user or not.
▪ This phase must be quick, simple, and accurate.

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

The Needham-Schroeder Scheme

▪ One of the first session key distribution schemes is the Needham-Schroeder SKDS (session
key distribution schemes), which was proposed in 1978.

Figure: Needham-Schroeder Scheme

The Steps in this scheme are as follows:

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

In flow 1, Alice asks the TA for a session key to communicate with Bob. At this point, Bob might
not even be aware of Alice’s request.

The TA transmits the encrypted session key to Alice in flow 2, and Alice sends an encrypted
session key to Bob in flow 3.

Thus flows 1–3 of Needham-Schroeder comprise the session key distribution: the session key K
is encrypted using the secret keys of Alice and Bob and it is distributed to both of them.

The purpose of flows 4 and 5 is to convince Bob that Alice actually possesses the session key K.
This is accomplished by having Alice use the new session key to encrypt the challenge r B - 1; the
process is called key confirmation (from Alice to Bob).

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

• There are some validity checks required in the Needham-Schroeder SKDS, where the term
validity check refers to verifying that decrypted data has the correct format and contains
expected information. (Note that there are no message authentication codes being used in
the Needham-Schroeder SKDS.) These validity checks are as follows:

The Denning-Sacco Attack on the NS Scheme

• In 1981, Denning and Sacco discovered a replay attack on the Needham- Schroeder SKDS.
⎯ Suppose Oscar records a session, say S, of the Needham-Schroeder SKDS scheme
between Alice and Bob, and somehow he obtains the session key, K, for the session
S. (this attack model is called a “known session key attack.”) Then Oscar can
initiate a new session, say SꞋ, of the Needham-Schroeder SKDS with Bob, starting
with the third flow of the session SꞋ, by sending the previously used ticket, t Bob, to
Bob:

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

Let’s consider the consequences of this attack. At the end of the session SꞋ between Oscar and Bob,
Bob thinks he has a “new” session key, K, shared with Alice (this is because ID(Alice) occurs in
the ticket tBob). This key K is known to Oscar, but it may not be known to Alice, because Alice
might have thrown away the key K after the previous session with Bob, namely S, terminated.
Hence, there are two ways in which Bob is deceived by this attack:

1. The key K that is distributed in the session SꞋ is not known to Bob’s intended peer,
Alice.
2. The key K for the session SꞋ is known to someone other than Bob’s intended peer
(namely, it is known to Oscar).

Kerberos
❖ Kerberos is a computer-network authentication protocol that works on the basis
of tickets to allow nodes communicating over a non-secure network to prove their identity
to one another in a secure manner. The protocol was named after the
character Kerberos (or Cerberus) from Greek mythology, the ferocious three-headed guard
dog of Hades. Its designers aimed it primarily at a client–server model and it
provides mutual authentication—both the user and the server verify each other's identity.
Kerberos protocol messages are protected against eavesdropping and replay attacks.
❖ Kerberos requires a trusted third party, and may use public-key cryptography during
certain phases of authentication

Kerberos comprises a popular series of schemes for session key distribution that were developed
at MIT in the late 1980s and early 1990s.

A simplified treatment of version five of the scheme is discussed here.

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

This is presented as follows:

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

Following diagram depicts the four flows in a session of the scheme :

❖ As was the case with Needham-Schroeder, there are certain validity checks required in
Kerberos. These are as follows:

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

❖ When a request for a session key is sent by Alice to the TA, the TA will generate a new
random session key K.

As well, the TA will specify the lifetime, L, during which K will be valid. That is, the
session key K is to be regarded as a valid key until time L. All this information is encrypted
before it is transmitted to Alice.

❖ Alice can use her secret key to decrypt y1, and thus obtain K and L. She will verify that the
current time is within the lifetime of the key and that y1 contains Alice’s random challenge,
rA. She can also verify that y1 contains ID(Bob), where Bob is Alice’s intended peer. These
checks prevent Oscar from replaying an “old” y1, which might have been transmitted by
the TA in a previous session.
❖ Next, Alice will relay tBob to Bob. As well, Alice will use the new session key K to encrypt
the current time (denoted by time) and ID(Alice). Then she sends the resulting ciphertext
y2 to Bob.

Compiled By: Krishna Bhandari http://genuinenotes.com

 Cryptography

❖ When Bob receives tBob and y2 from Alice, he decrypts tBob to obtain K, L, and ID(Alice).
Then he uses the new session key K to decrypt y2 and he verifies that ID(Alice), as
decrypted from tBob and y2, are the same. This assures Bob that the session key encrypted
within tBob is the same key that was used to encrypt y2. He should also check that time <=
L to verify that the key K has not expired.
❖ Finally, Bob encrypts the value time+1 using the new session key K and sends the result
back to Alice. When Alice receives this message, y3, she decrypts it using K and verifies
that the result is time + 1. This assures Alice that the session key K has been successfully
transmitted to Bob, since K is needed in order to produce the message y3

Note: The purpose of the lifetime L is to prevent an active adversary from storing “old”
messages for retransmission at a later time, as was done in the Denning- Sacco attack on
the Needham-Schroeder SKDS. One of the drawbacks of Kerberos is that all the users in
the network should have synchronized clocks, since the current time is used to determine
if a given session key K is valid. In practice, it is very difficult to provide perfect
synchronization, so some amount of variation in times must be allowed.

Compiled By: Krishna Bhandari http://genuinenotes.com