Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Unit-VI

Published byGladys Bruce Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Security Unit-VI"— Presentation transcript:

1 Network Security Unit-VI
User Authentication Mechanisms

2 Authentication is the first step in any cryptographic solution
Authentication can be defined as determining an identity to the required level of assurance

3 Passwords A password is a string of alphabets, numbers and special characters, which is supposed to be known only to the entity (usually a person) that is being authenticated.

4 Clear text passwords: Database Client Server
User gets a prompt to enter user id and password User Authentication program Login Request User id & password User id & password Login Successful User Authentication program Application Menu Success

5 Something derived from passwords:
Step:1 Create a message digest of passwords Step: 2 Store the user id and message digest of the passwords in the user database. Database Server Client User computer calculates the MD User Authentication program Login Request User id & calculated password User id & MD Login Successful User Authentication program Application Menu Success

6 Adding randomness: Server Database Client User Authentication program
Login Request User id User id The server will create a random challenge using a program User id is valid Server sends the random challenge to user The client computer will calculate MD on password RC is then encrypted with MD MD retrieval program Login Request User id & password (RC) In response, gives the MD

7 If it matches, then appropriate message is send.
Database Server Client The server encrypts the original random challenge with that MD using a program The server then compares both the RC, calculated by him and sent by client If it matches, then appropriate message is send. Login successful Application Menu

8 Authentication Tokens
An authentication token is a small device that generates a new random value every time it is used. The small devices are typically of the size of small key chains, calculators or credit cards. Usually, an authentication token has the following features:- Processor Liquid Crystal Display(LCD) Battery (Optional) a small keyboard for entering information (optional) a real time clock. Each authentication token is pre-programmed with a unique number called as random seed (or seed)

9

10 Seed User record location
User database Server User record location Seed Authentication Token Step: 1 Whenever an authentication is created , the corresponding random seed is generated for the token by the Authentication Server. This seed is stored or pre-programmed inside the token and also stored in database.

11 User id and one-time password obtained by token are sent to server
Database Client User id and one-time password obtained by token are sent to server The server’s seed retrieval program now retrieves the seed from the database Database sends the seed related to user id The server password validation program calculates the one-time password and checks the seed against the password If the password is correct, then appropriate message is send to user

12 Types of Authentication Token
Challenge/ response Token Time based Token

13 Challenge/ Response Token
Server Database Client User sends a login request User ID User authentication program Checks if user id is valid The server creates a random challenge using a program If user is valid The client receives the random challenge The RC is encrypted by the seed value MD of the password & encrypted RC is send to the server The server retrieves the seed value for the user from database Challenge/ Response Token

14 The server encrypts the original random challenge with that seed value
Database Server Client The server encrypts the original random challenge with that seed value The server then compares both the RC, calculated by him and sent by client If it matches, then appropriate message is send. Login successful Application Menu

15 Time Based Token Server Database Client
The seed value and the system time of token, together perform cryptographic algorithm to generate a password automatically. User sends a login request User ID & password The server retrieves the seed value for the user from database The server calculates the same cryptographic function as was done by the token using seed value & system time The server compares both the passwords If it matches, then appropriate message is send. Time Based Token

16 Certificate Based Authentication
This is based on digital certificate of a user. Here the user is expected to have something and know something.

17 Step: 1 pre-requisite in Certificate based authentication
Server Certificate Authority (CA) Database User

18 User sends a login request User ID User authentication program
Server Database Client User sends a login request User ID User authentication program Checks if user id is valid If user is valid The client receives the random challenge The server creates a random challenge using a program The RC is encrypted with the user’s private key to produce digital signature The user sends the user ID and digitally signed RC The server retrieves the public key for the user from database

19 The server decrypts the RC by user’s public key
Database Server Client The server decrypts the RC by user’s public key The server then compares both the RC, calculated by him and sent by client If it matches, then appropriate message is send. Login successful Application Menu

20 Biometric Authentication
A biometric device works on the basis of human characteristics. Every time, the sample produced in biometric varies slightly. That is why many biometric samples are combined and their average is stored in the database. Thus an approximate match is acceptable. In biometric authentication system, 2 configurable parameters are defined: FAR (False Accept Ratio) = is a measurement of the chance that a user who should be rejected is actually accepted by the system as good enough. FRR (False Reject Ratio) = is a measurement of the chance that a user who should be accepted as valid is actually rejected by the system as not good enough. If the two samples match to the expected degree on the basis of values of FAR and FRR, the user is authenticated otherwise not.

21 Physiological techniques Behavioral techniques
Biometric Techniques Physiological techniques Behavioral techniques 1. Face – check and measure the distance between the various facial features such as eyes, nose & mouth. 2. Voice – characteristics of sound waves, pitch and tone of voice. 3. Fingerprint – authentication uses 2 approaches: Minutiae based: graph of individual ridge positions is drawn Image based: image of fingerprint is stored. 4. Iris – unique pattern of inside the iris 5. Retina – the vessels carrying blood supply at the back of human eye are examined Keystroke – speed of typing, strength of keystrokes, time between 2 keystrokes, error percentage and frequency. Signature – physically signed by the authorizer is compared by the computerized scanned copy

22 Kerberos Kerberos is based on an algorithm called Needham-Shroeder.
Designed at MIT. Kerberos signifies a multi headed dog in Greek mythology. There are 4 parties involved in Kerberos: Alice: the client workstation Authentication Server (AS) :verifies(authenticates) the user during login. Ticket Granting Server (TGS): issues tickets to certify proof of identity. Bob: the server offering services such as network printing, file sharing or an application program.

23 Step : 1 Alice TGT Encrypt Encrypt AS Alice
User sends the login request user ID Output * Alice Session key KS Symmetric Key shared with TGS Encrypt Session key KS TGT Step : 1 Symmetric key derived from Alice’s password (KA) Encrypt Output *

24 Bob Id TGT Output * Encrypt Encrypted Time
TGS Alice User sends the login request user ID Output * Encrypt Session key (KS) TGT Bob Id Encrypted Time Step : 2 Alice wants to communicate with Bob( server) Output *

25 In response the TGS will send response back to Alice
Output * Alice KAB Bob KAB Bob’s secret key Session key (KS) Encrypt Encrypt Output * In response the TGS will send response back to Alice

26 Output * Sends KAB Encrypt Encrypted Time
Bob Alice Output * Encrypt KAB Encrypted Time (Alice +KAB) encrypted with Bob’s secret key Output * Step : 3 Alice contacts Bob for accessing the server

27 Bob acknowledges the receipt of KAB
Acknowledging KAB Bob Alice Encrypted Time Bob adds 1 to the timestamp sent by Alice Encrypt KAB Encrypted Time Bob acknowledges the receipt of KAB

28 If Alice now wants to communicate with another server say Carol:
If Alice wants to continue communicating with Bob alone, she need not obtain a new ticket every time. Since Alice needs to authentic only once, this mechanism is called Single Sign On(SSO). If Alice now wants to communicate with another server say Carol: Alice needs to obtain another shared key from TGS.

29 Single Sign On (SSO) Approaches
Script based Approach Agent based Approach

30 Key Distribution Center (KDC)
KDC is a central authority dealing with keys for individual nodes in a computer network. It is similar to the concept of AS and TGS in Kerberos. The basic idea is that every node shares a unique secret key with KDC. Whenever A wants to communicate securely with B, the following happens:-

31 A and B can now communicate with KS for encryption
KDC KA KB A KDC Encrypted with KA: Identities of A & B. Random number (nonce) Response encrypted with KA: KS A’s request KS encrypted with KB A’s ID encrypted with KB A B A and B can now communicate with KS for encryption

32 Security Handshake Pitfalls
Schemes for carrying out the handshake One way authentication Mutual Authentication Here, the authentication is only one way i.e. B authenticates A but A does not authenticate B. Both A and B authenticates each other.

33 One way authentication
Login only Shared secret One way public key A sends username to B. B creates a random challenge and sends to A. A encrypts random challenge with A’s private key A sends username to B. B creates a random challenge and sends to A. A encrypts random challenge with KAB A sends login id & password in plain text. If it is valid, then communication starts. No further encryption or integrity checks are performed. Modified approach: A sends username to B. B encrypts random challenge with KAB A then decrypts it and sends the original RC to B Modified approach: A sends username to B. B encrypts random challenge with A’s public key A then decrypts it with A’s private key & sends the original RC to B

34 Mutual Authentication
Shared secret Public Keys Timestamps-based A sends username to B B sends a random challenge R1 to A R1 is encrypted with KAB A sends a random challenge R2 to B B encrypts R2 with KAB and sends it to A A sends username and R2 encrypted with B’s public key. B decrypts R2 with his private key. B creates a R1 and encrypts with A’s public key A decrypts R1 and sends to B A sends username and current timestamp encrypted with KAB. B sends username and above timestamp +1 encrypted with KAB Optimized Approach: A sends username and R2 B sends encrypted R2 with KAB and R1 A again sends encrypted R1 with KAB. Modified Approach: A sends username and R2 B encrypts R2 with KAB & also sends R1. A then signs R1 and returns it back to B

35 Thank You

Download ppt "Network Security Unit-VI"

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011.

Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or hellhound” with a serpent's.

Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Chapter 21 Distributed System Security Copyright © 2008.

Chapter 21 Distributed System Security Copyright © 2008.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Authentication Chapter 2. Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand.

Authentication Chapter 2. Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand.

Similar presentations

Ads by Google