Cryptography and Network

Security

Chapter 15
User Authentication
User Authentication

• fundamental security building block

• basis of access control & user accountability
• is the process of verifying an identity claimed by or for a
system entity
• has two steps:
• identification - specify identifier
• verification - bind entity (person) and identifier
• distinct from message authentication
 Means of User Authentication
• Generally authentication requires the presentation of credentials
or items of value to really prove the claim of who you are.
• four means of authenticating user's identity
• based one something the individual
• knows - e.g. password, PIN
• has - e.g. key, token, smartcard
• is (static biometrics) - e.g. fingerprint, retina

• does (dynamic biometrics) - e.g. voice, sign

• can use alone or combined
• all can provide user authentication
• all have issues
Means of User Authentication
• Something you know: This may be something you mentally possess.
This could be a password, a secret word known by the user and the
authenticator.
• Something you have: This may be any form of issued or acquired self
identification such as:
• SecurID
• CryptoCard
• Activcard
• SafeWord
• and many other forms of cards and tags.
• Something you are: This being a naturally acquired physical
characteristic such as voice, fingerprint, iris pattern and other
biometrics.

• Somewhere you are: This usually is based on either physical or

logical location of the user. The use, for example, may be on a
terminal that can be used to access certain resources.

4
Forms of Authentication

• In general authentication takes one of the following three

forms:
• Basic authentication involving a server. The server maintains a user
file of either passwords and user names or some other useful piece
of authenticating information. This information is always examined
before authorization is granted.
• Challenge-response, in which the server or any other authenticating
system generates a challenge to the host requesting for
authentication and expects a response.
• Centralized authentication, in which a central server authenticates
users on the network and in addition also authorizes and audits
them.

5
Multiple Factors and Effectiveness
of Authentication
• To increase authentication effective ness, a scheme with
multiple methods is used. Systems using a scheme with two
or more methods can result in greater system security
• The popular technique, referred to as multi-factor
authentication, overcome the limitations of a specific
authentication.

6
Authentication Elements

• An authentication process as is based on the following five

elements:
• Person or Group Seeking Authentication - usually users who seek
access to a system either individually or as a group. If individually,
they must be prepared to present to the authenticator evidence to
support the claim that they are actually authorized to use the
requested system resource.
• Distinguishing Characteristics for Authentication - User
characteristics are grouped into four factors that include: something
you know, something you have, something you are, and a weaker one
somewhere you are. In each of these factors, there are items that a
user can present to the authenticator for authorization to use the
system.

7
Authentication Elements

• The Authenticator - to positively and sometimes automatically

identify the user and indicate whether that user is authorized to
access the requested system resource.
• The Authentication Mechanism - consists of three parts that work
together to verify the presence of the authenticating characteristics
provided by the user.
• the input,
• the transportation system,
• and the verifier.
• Access Control Mechanism - User identifying and authenticating
information is passed to access control from the transport
component. That information is validated against the information in
its database residing on a dedicated authentication server, if the
system operates in a network, or stored in a file on a local medium.

8
Types of Authentication

• There are two basic types of authentication. non-repudiable

and repudiable. Other types of authentication include user,
client, and session authentication.
• Non-repudiable Authentication - involves characteristics whose
proof of origin cannot be denied. Such characteristics include
biometrics like iris patterns, retinal images, and hand geometry and
they positively verify the identity of the individual.
• Repudiable Authentication – involves factors, “what you know” and
“what you have,” that can present problems to the authenticator
because the information presented can be unreliable because such
factors suffer from several well-known problems including the fact
that possessions can be lost, forged, or easily duplicated.

Kizza - Guide to Computer Network Security 9

Authentication Methods

• There are several authentication methods including:

password, public-key, anonymous, remote and certificate-
based authentication.
• Password authentication - the oldest and the easiest to implement.
It includes reusable passwords, one-time passwords, challenge
response passwords, and combined approach passwords.
• Public Key Authentication – This requires each user of the scheme to
first generate a pair of keys and store each in a file. Each key is
usually between 1024 and 2048 bits in length. Public-private keys
pairs are typically created using a key generation utility. The server
knows the user's public key because it is published widely. However,
only the user has the private key.

10
Authentication Methods

• Anonymous Authentication - Clients who do not intend to modify

entries or access protected attributes or entries on a system typically
use anonymous authentication. Mostly these users are not
indigenous users in a sense that they do not have membership to the
system they want access to. They access the system via a special
“anonymous” account.
• Digital Signatures-Based Authentication – is an authentication
technique that does not require passwords and user names. It
consists of an electronic signature that uses public key infrastructure
(PKI) to verify the identity of the sender of a message or of the signer
of a document. The scheme may include a number of algorithms and
functions including the Digital Signature Algorithm (DSA), Elliptic
Curve Digital Signature and Algorithm (ECDSA), account authority
digital signature, authentication function, and signing function.

11
Authentication Protocols

• used to convince parties of each others identity and to

exchange session keys
• may be one-way or mutual
• key issues are
• confidentiality – to protect session keys
• timeliness – to prevent replay attacks
One-Way Authentication

• required when sender & receiver are not in communications

at same time (eg. email)
• have header in clear so can be delivered by email system
• may want contents of body protected & sender
authenticated
Using Symmetric Encryption

• as discussed previously can use a two-level hierarchy of keys

• usually with a trusted Key Distribution Center (KDC)
• each party shares own master key with KDC
• KDC generates session keys used for connections between parties
• master keys used to distribute these to them
Kerberos

• trusted key server system from MIT

• provides centralised private-key third-party authentication in
a distributed network
• allows users access to services distributed through network
• without needing to trust all workstations
• rather all trust a central authentication server
• two versions in use: 4 & 5
Kerberos Requirements

• its first report identified requirements as:

• secure
• reliable
• transparent
• scalable
• implemented using an authentication protocol based on
Needham-Schroeder
 Kerberos v4 Overview
a basic third-party authentication scheme
have an Authentication Server (AS)
users initially negotiate with AS to identify self
AS provides a non-corruptible authentication credential (ticket granting
ticket TGT)
have a Ticket Granting server (TGS)
users subsequently request access to other services from TGS on basis of
users TGT
using a complex protocol using DES
Kerberos v4 Dialogue
Kerberos 4 Overview
Kerberos Realms

• a Kerberos environment consists of:

• a Kerberos server
• a number of clients, all registered with server
• application servers, sharing keys with server
• this is termed a realm
• typically a single administrative domain
• if have multiple realms, their Kerberos servers must share
keys and trust
Kerberos Realms
Kerberos Version 5

• developed in mid 1990’s

• specified as Internet standard RFC 1510
• provides improvements over v4
• addresses environmental shortcomings
• encryption alg, network protocol, byte order, ticket lifetime, authentication
forwarding, interrealm auth
• and technical deficiencies
• double encryption, non-std mode of use, session keys, password attacks
Kerberos v5 Dialogue
Remote User Authentication

• in Ch 14 saw use of public-key encryption for session key

distribution
• assumes both parties have other’s public keys
• may not be practical
• have Denning protocol using timestamps
• uses central authentication server (AS) to provide public-key
certificates
• requires synchronized clocks
• have Woo and Lam protocol using nonces
• care needed to ensure no protocol flaws
One-Way Authentication

• have public-key approaches for email

• encryption of message for confidentiality, authentication, or both
• must now public keys
• using costly public-key alg on long message
• for confidentiality encrypt message with one-time secret
key, public-key encrypted
• for authentication use a digital signature
• may need to protect by encrypting signature
• use digital certificate to supply public key
Federated Identity Management

• use of common identity management scheme

• across multiple enterprises & numerous applications
• supporting many thousands, even millions of users
• principal elements are:
• authentication, authorization, accounting, provisioning, workflow
automation, delegated administration, password synchronization,
self-service password reset, federation
• Kerberos contains many of these elements
Identity Management
Identity
Federation
Standards Used

• Security Assertion Markup Language (SAML)

• XML-based language for exchange of security information between
online business partners
• part of OASIS (Organization for the Advancement of
Structured Information Standards) standards for federated
identity management
• e.g. WS-Federation for browser-based federation
• need a few mature industry standards
Federated Identity Examples
Summary

• have considered:
• remote user authentication issues
• authentication using symmetric encryption
• the Kerberos trusted key server system
• authentication using asymmetric encryption
• federated identity management