Presentation is loading. Please wait.

Presentation is loading. Please wait.

Outline The basic authentication problem

Published byCordelia Potter Modified over 6 years ago

Similar presentations

Presentation on theme: "Outline The basic authentication problem"— Presentation transcript:

1 Authentication in Networks Advanced Network Security Peter Reiher August, 2014

2 Outline The basic authentication problem
Authentication options for networks Practical authentication in the Internet

3 Authentication in a Network
I’m Bill! Subject The network Authenticator How can the authenticator be sure that the subject really is Bill?

4 Issues to Consider The parties can only use the network to communicate
Implying that authentication works using bit patterns Bits are easy to copy Networks can be eavesdropped upon No inherent guarantee that next packet is related to last packet Must we authenticate each packet?

5 Authentication Options
Authentication usually performed in one of three ways: Authenticate by what you know Authenticate by what you have Authenticate by what you are How well do these work in network settings?

6 Authentication By What You Know
Passwords Cryptographic keys Security question responses Usually, the authenticating entity asks for some knowledge The subject must provide the right knowledge

7 How It Works in a Network
OK, here’s Bill’s secret I’m Bill! Prove it! BILL! Subject The network Authenticator If it’s the right secret,

8 Attackers might guess the secret
Potential Problem #1 Attackers might guess the secret I’m Bill! I wonder what Bill’s Secret might be . . . Maybe it’s . . . And here’s my secret BILL!

9 What Does This Mean? The secret must be unguessable
Not either simple or obvious Bad examples: Short passwords Something related openly to subject’s identity (like his name)

10 Eavesdroppers can overhear and replay the secret
Potential Problem #2 OK, here’s Bill’s secret I’m Bill! Prove it! Eavesdroppers can overhear and replay the secret I’m Bill! BILL! And here’s my secret Subject The network Authenticator BILL! Bill’s secret

11 What Does This Mean? Either the attacker must be unable to eavesdrop
Which may be true, but can be impossible to guaranteed Or he must be unable to use what he hears How to achieve the latter? Proper crypto

12 What Do We Mean By “Proper Crypto”?
Not just a strong cipher (e.g., AES) But also something that cannot be replayed If the attacker can copy and replay the encrypted secret, crypto didn’t help

13 OK, here’s Bill’s secret
Improper Crypto OK, here’s Bill’s secret I’m Bill! Prove it! The stolen encrypted authentication information decrypts to the secret! I’m Bill! BILL! And here’s my secret Subject The network Authenticator BILL! Bill’s secret

14 How Do We Solve the Problem?
Use a different crypto key each time Making sure only the real Bill could have it Or use the same key, but include a different nonce Either way, require “Bill” to encrypt his secret differently each time

15 The General Problem for Network Authentication
If you authenticate by what you know You’d better make sure no one else knows it Which means asking for something different each time Different piece of knowledge Different encryption of same piece

16 Authentication by What You Have
Certificates Security tokens of various sorts Challenge is you must prove possession across a network Unlike in person, when you can just show the item (e.g., passport)

17 How It Works in a Network
OK, here’s proof that I have the special item I’m Bill! Prove it! BILL! Note the similarity to the previous approach! Subject The network Authenticator If the proof is sufficiently convincing . . .

18 What’s The Same? What’s Different
The authenticator gets a bunch of bits over the network If they’re right, he authenticates What’s different? How the bits get created That’s where we can improve things

19 How Should This Work? The weakness of authentication by what you know was the secret If the secret got out, the authentication failed What if it’s a different secret every time? No problem with eavesdropping No replay issues Authenticating by what you have helps if the item generates new bits every time

20 Generating New Bits Typically requires an active computing device
Something with memory and processing capability On each request, it generates a fresh response The authenticator must be able to check the response for correctness

21 How To Generate the New Bits?
Challenge/response The authenticator sends a random number The device encrypts it with its secret key The authenticator checks the encryption Hash chains The device generates new bits using a cryptographic hash of the last set of bits The authenticator determines if the bits are the next in the chain

22 Some Difficulties The authenticator must share a secret with the device Unless you use PK But still requires pre-arrangement Problems if hash chain gets out of sync with authenticator Solvable using clocks, instead of sequence Requires rough clock synchronization

23 Weakness of the Approach
Loss of special device makes it impossible to authenticate Theft of device may allow thief to improperly authenticate Must pre-arrange to have authentication device in users’ hands

24 An “Engineering” Approach
Use a smart phone instead of security token Most people have smart phones They have compute, storage, and communications capabilities They also have a unique number (telephone number) that contacts them (maybe . . .) Authenticate by asking app on the smart phone to handle challenge/response Solves some problems, adds others

25 Authentication By What You Are
Prove your identity with biometrics Fingerprints, face recognition, retinal scans, etc. Provide that information to the authenticator He checks against a stored version

26 How It Works in a Network
OK, here’s my fingerprint information I’m Bill! Prove it! BILL! Note the similarity to the previous approaches! Subject The network Authenticator If it’s a good match for Bill’s known fingerprint information . . .

27 Biometrics and Networks
Not a particularly good match The biometric information is converted to bits and sent across the network The receiver has no idea how the bits were created Fresh biometric reading? Saved version of previous reading? Stolen copy of a reading?

28 Biometrics and Non-Human Authentication
Biometrics can’t be used to authenticate computers or programs Only people (or perhaps animals) Maybe there are some characteristics of computers that are similar Maybe not A question for research

29 A Common Issue for Network Authentication
Ultimately, you’re getting a bundle of bits packaged in one or more packets It’s hard to guarantee how the bits were created It’s easy to copy bundles of bits Whatever authentication mechanism is used, it must handle that problem

Download ppt "Outline The basic authentication problem"

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.

Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.

Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.

Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE 522 - Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.

CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.

Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.

Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Similar presentations

Ads by Google