Authentication

• Who is who?

• Identifies a user or a resource

• Establishes trust before communication can

take place
 Authentication Mechanisms
• Passwords

• Message digests of passwords

• Authentication Tokens

• Certificate-based Authentication

• Biometrics
Password Authentication - 1

Login Screen

User id : _________
Password : _________
Ok Cancel
Password Authentication - 2

Server

Login request

Id = atul
Password = april
Password Authentication - 3

Id Password
Server Jyoti tiger
User authenticator program Amar newroad
Atul april
……
Id = atul
Password = april
Password Authentication - 4

Id Password
Server Jyoti tiger
Amar newroad
User authenticator program
Atul april
……
Success
Password Authentication - 5

Server

Login successful

Application Menu

1. View Balance
2. Transfer money
….
 Message Digests of Passwords
• Original clear text password is never
stored/transmitted

• Message digest of password is stored in the

database, and the same is used for
authentication

• Can lead to replay attacks

 Message Digests of Passwords
Step 1: Calculate the message digests of the passwords on the server-side.

tiger G%6$1
newroad Vt^80+1
april +{:>9mn
…

Passwords Message digests of

Message digest passwords
algorithm

Step 2: Store the user ids and message digests of the passwords in the user database.

Server
Id Password
User creation program
Jyoti G%6$1
Amar Vt^80+1
Atul +{:>9mn

User database
 Authentication Tokens
• Token and server are synchronized initially

• Token generates fresh passwords

periodically

• Same passwords are generated at the server

Authentication Token Concept

Id = atul
Seed = 615019191
Server
Id Seed
Jyoti 159010191
User record creation Amar 415901617
Atul 615019191

Seed = 615019191

User database

Seed

Authentication token
Authentication Token Types

Authentication Tokens

Challenge/Response Time-based Tokens

Tokens
Authentication Token Login
Login Screen

User Id Atul

Random Challenge 8102811291012

Your response
 Certificate-based Authentication
• User’s certificate details need to be stored
on the server-side

• CA distributes the certificates to the users

also

• Validation between the two takes place at

the time of authentication
 Digital Certificate Storage
Certificate

Certificate Server

Certification
Authority (CA) User database

Certificate Certificate Id Public Key Validity…

Jyoti1 59010191 June 2003
Amar 415901617 May 2002
Atul 615019191 July 2003

To respective users
Certificate-based Authentication
Step 1: User’s computer encrypts the random challenge with the user’s private
key to produce the digital signature.

Server

8102811291012 Original random

challenge

Encrypt Private key

file

90184112124832 User’s digital signature

Step 2: User’s computer sends the digital signature to the server as a

part of the login request.

Login request Server

Id = atul
Sign = 90184112124832
Smart Card Issues and Solutions
Problem/Issue Emerging solution

Smart card readers are not yet a part of a The new versions of computers and mobile
desktop computer, unlike a hard disk devices are expected to come with smart card
drive or a floppy disk drive readers out of the box.

Non-availability of smart card reader Microsoft has made the PC/SC smart card framework
driver software an integral part of the Windows 2000 operating
system. Most smart card reader manufacturers ship
the PC/SC compliant reader drivers, making the
process of adding a reader hardware to the computer
a plug-and-play operation.

Non availability of smart card aware Smart-card aware software such as Microsoft
cryptographic services software Crypto API (MS-CAPI) comes free with Internet
Explorer.

Cost of smart cards and card readers is This is reducing now. Smart cards are available for
high about $5, and the card readers for about $20.
 Biometric Authentication

• Fingerprint
• Voice
• Pattern of lines in the iris
 KERBEROS

• Real life systems use an authentication protocol

called as KERBEROS
• There are four parties involved in Kerberos
protocols:
• Alice: The client workstation
• Authentication Server (AS)
• Ticket Granting Server (TGS)
• Bob: The server offering services
 Kerberos
• Protocol used for Single Sign On (SSO)

• Every user needs only one user id for multiple

applications/resources

• Kerberos takes care of access to multiple

resources, once the user logs on
 Kerberos – Part 1

Alice AS

Login

Id = Alice
AS sends back encrypted session key
and TGT to Alice

Alice Output*
AS

Session key
Alice (KS)

Symmetric key shared with the Ticket

Encrypt
Granting Server (TGS)

Session key TGT

AS computes the output as shown below and (KS)
sends it to Alice in response to her login
request.
KS+TGT

Symmetric key derived from Alice’s

Encrypt
password (KA)

Output*
Alice sends a request for a SGT
to the TGs

Alice
Request for a SGT TGS

Output*

Timestamp

Encrypt Session key (KS)

AS computes the output as shown
below and sends it to the TGS.
Encrypted
Timestamp TGT Bob
(ET)

Output*
TGS sends response back to
Alice
Alice Output*
TGS

Alice KAB

B’s secret key Encrypt

Bob KAB

Session Key (KS) Encrypt

Output*
Alice sends KAB securely to Bob

Alice
Sending KAB Bob

Output*

Timestamp

Alice had received this from

Secret key to be shared
Encrypt the TGS in the previous step
by Alice and Bob
(KAB)

Encrypted
Timestamp (Alice + KAB) encrypted with Bob’s
(ET) secret key

Output*
Bob acknowledges the receipt of
KAB

Alice
Bob

Encrypted Timestamp (ET)*

Timestamp sent by Alice. First

add 1 to it.

Secret key shared by

Encrypt Alice and Bob (KAB)

Encrypted
Timestamp
(ET)*
 Single Sign On (SSO)
Approaches
Single Sign On (SSO)
Approaches

Script-based Approach Agent-based Approach

Key Distribution Center(KDC)
Encrypted with KA

A Sender: A
KA A
Receiver: B
KDC Random number (R)
1

B KB
KDC

2
Encrypted with KS Encrypted with KA
A Actual data that A
wants to send to B. KS
B will respond A’s request
KS encrypted with KB
similarly.
A encrypted with KB
3
B
Security Handshake Pitfalls

Security handshake mechanisms

One-way authentication Mutual authentication

One-way Authentication Approaches

One-way authentication

Login only Shared secret One-way public key

 Login-Only
1
User name: A
Password: testing123

A B

Ok!
Verified successfully.

2
 Shared Secret

1
User name: A

A Random challenge (R) B

Random challenge (R)

encrypted with KAB

3
Shared Secret – Modified Approach

User name: A

A Random challenge B

(R) encrypted with

KAB 2

Random challenge
(R)
3
One Way Public Key – Approach 1

User name: A

A Random challenge (R) B

Random challenge
(R) encrypted with
A’s private key
3
One Way Public Key – Approach 2

User name: A

Random challenge
B
A
(R) encrypted with
A’s private key 2

Random challenge
(R)
3
Mutual Authentication Approaches

Mutual authentication

Shared secret Public keys Timestamp-based

 Mutual Authentication Based on
Shared Secret
1
User name: A

Random challenge (R1)

A 2 B

R1 encrypted with KAB

3
Random challenge (R2)
4
R2 encrypted with KAB
5
Optimized Mutual Authentication

1
User name: A, R2

(R2 encrypted with

A KAB), R1 B

2
R1 encrypted with
KAB

3
 Reflection Attack – 1

1
User name: A
Random challenge: R2

C B

(R2 encrypted with

KAB), R1
2
 Reflection Attack – 2
1
User name: A
Random challenge:
R1
C B

(R1 encrypted with

KAB), R3
2
 Reflection Attack – 3

R1 encrypted B
C
with KAB
Mutual Authentication Using Public
Keys

1
User name: A, (R2
encrypted with B’s
public key)

A B
R2, (R1 encrypted
with A’s public key)
2

R1

3
 Mutual Authentication Using
Timestamps
1
User name: A,
(Current timestamp
encrypted with KAB)

A B

User name: B, (Above

timestamp + 1) encrypted
with KBA
2