SlideShare une entreprise Scribd logo
1  sur  6
Télécharger pour lire hors ligne
©Copyright 1994 AT&T and Lumeta Corporation. All Rights Reserved.
Notice: For personal use only. These materials may not be reproduced or distributed in any form
or by any means except that they may be downloaded from this source and printed for personal use.




                 5
                 Authentication

                       “Who are you, Master?” he asked.

                       “Eh, what?” said Tom sitting up, and his eyes glinting in the gloom. “Don’t you
                       know my name yet? That’s the only answer. Tell me, who are you, alone, yourself
                       and nameless.”



                                                          Lord of the Rings
                                                          —J.R.R. TOLKIEN



                 Authentication is the process of proving one’s identity. This is distinct from the assertion of
                 identity (known, reasonably enough, as identification) and from deciding what privileges accrue
                 to that identity (authorization). While all three are important, authentication is the trickiest from
                 the perspective of network security. We are concerned here with two forms of authentication, that
                 of a user to a machine during an initial login sequence, and machine-to-machine authentication
                 during operation. Solutions to the first problem are typically categorized as “something you
                 know,” “something you have,” and “something you are.” Machine-to-machine authentication is
                 generally divided into two types: “cryptographic” and “other.” (Some would say “cryptographic”
                 and “weak.”)
                      The level of authentication depends on the importance of the asset, and the cost of the method.
                 Should you use hand-held authenticators for logins from the outside? What about from the inside?
                 What sort of authentication do you want for outgoing calls? How about privileged (root) access
                 to machines? For that matter, who will maintain the firewall’s authentication databases? In many
                 environments, a single firewall serves the entire organization, which makes tracking personnel
                 that much harder. Would a scheme that does not require databases be better? Many options are
                 listed in this chapter.

                                                                                                                  119
120                                                                                       Authentication


5.1   User Authentication
      5.1.1 Passwords
      There is little more to say here about passwords; we already discussed it at some length in
      Section 1.3.3 and will discuss it further in 9.1. As a means of personal authentication, passwords
      are categorized as “something you know.” This is an advantage because no special equipment is
      required to use them, and also a disadvantage because what you know can be told to someone else,
      or guessed, or captured.
          No security expert we know of regards passwords as a strong authentication mechanism.
      Nevertheless, they are unlikely to disappear any time soon, because they are simple, cheap, and
      convenient.


      5.1.2 One-Time Passwords
      One can achieve a significant increase in security by using one-time passwords. A one-time
      password behaves exactly as its name indicates: It is used exactly once, after which it is no longer
      valid. This provides a very strong defense against eavesdroppers, compromised telnet commands,
      and even publication of login sessions. (See Figure 5.1 on page 121 for an example of the latter.)
          There are a number of possible ways to implement one-time password schemes. The best
      known involve the use of some sort of hand-held authenticator , also known as a dongle or a
      token.
          One common form of authenticator contains an internal clock, a secret key of some sort, and
      a display. The display shows some function of the current time and the secret key. This output
      value, which is used as the authentication message, changes about once per minute. (The use of
      cryptography to implement such functions is described in Chapter 13.) These “passwords” are
      never repeated.
          The host validates the user by using its copy of the secret key and its clock to calculate the
      expected output value. If they match, the login is accepted. In practice, clock skew between
      the device and the host can be a problem. To guard against this, several candidate passwords
      are computed, and the user’s value is matched against the entire set. A database accessible to
      the host keeps track of the device’s clock skew to help minimize the time window. But this
      introduces another problem: A password could be replayed during the clock skew interval. A
      proper implementation should cache all received passwords during their valid lifetime; attempted
      reuses should be rejected and logged.
          A different one-time password system uses a nonrepeating challenge from the host instead of
      a clock. Again, the user has a device that is programmed with a secret key. The challenge is keyed
      into the device, which calculates some function of it and the key, and this value serves as the
      password. Since there is no clock involved, there is no clock skew, and hence no need for a cache.
      On the other hand, the device must have a keypad, and the user must transcribe the challenge.
      Some have complained about this extra step. A sample telnet session through our gateway is
      shown in Figure 5.1.
User Authentication                                                                                           121


              $ telnet guard.research.att.com
              Trying...
              Connected to guard.research.att.com.
              Escape character is ˆ] .

              This is the new inet. Authorized use only.


              Authentication Server.

              Id? ches
              challenge: 48201
              response: d2c3f97d


              TCP host name? cetus
              rlogin cetus -e -8 -l ches

              IRIX Release 4.0.5C System V cetus.research.att.com
              Copyright 1987-1992 Silicon Graphics, Inc.
              All Rights Reserved.
              cetus=; exit
              Connection closed.Connection closed by foreign host.
              $

        Figure 5.1: The full text of an actual terminal session using our challenge/response-based guard. The
        challenge is random, and will rarely, if ever, be repeated. An enemy cannot replay an old response, because
        it is derived from the challenge, which should be different for each session. The parameters on the rlogin
        command prevent a shell escape to the gateway machine. A modified rlogin would probably be better.



            Challenge/response identification is derived from the Identification Friend or Foe (IFF) devices
        used by military aircraft [Diffie, 1988]. It, in turn, is derived from the traditional way a military
        sentry challenges a possible intruder.
            Both of these schemes involve “something you have,” a device that is subject to theft. The
        usual defense is to add “something you know” in the form of some sort of personal identification
        number (PIN). An attacker would need possession of both the PIN and the device to impersonate
        the user. (Note that the PIN is really a password used to log in to the hand-held authenticator.
        Although PINs can be very weak, as anyone in the automatic teller machine card business can
        testify [Anderson, 1993], the combination of the two factors is quite strong.) Also, either approach
        must have the key accessible to the host, unless an authentication server is used. The key database
        can be a weakness and must be protected.
            Many people carry a computer around these days. These algorithms, and especially the
        following, are easily implemented in a portable machine.
            Lamport proposed a one-time password scheme [Lamport, 1981] that can be implemented
        without special hardware. Assume there is some function that is reasonably easy to compute
                                                                          




        in the forward direction but effectively impossible to invert. (The cryptographic hash functions
122                                                                                                      Authentication


      described in Section 13.1.7 are good candidates.) Further assume that the user has some secret—
                                   
      perhaps a password— . To enable the user to log in some number of times, the host calculates
       




       ¤  ¢
      £ ¡   that number of times. Thus, to allow 1000 logins before a password change, the host would
                      £ ¤  ¡
      calculate 1000 , and store only that value.
                 




          The first time the user logs in, he or she would supply 999 . The system would validate
                                                                                            




                                                                                                £ ¥  ¡
      that by calculating
                                                 ¡
                                                   ¦    




                                                           999    ©§¤  ¡
                                                                 ¨ ££       




                                                                                 1000   ¥  ¡
                                                                                        £
                                                                               £ ¤  ¡
      If the login is correct, the supplied password— 999 —becomes the new stored value. This is
                                                                       




                               £ ¤  ¡
      used to validate 998 , the next password to be supplied by the user.
                         




           The user’s calculation of    £¤  ¤
                                            ¡ can be done by a hand-held authenticator or a trusted work-
      station or portable computer. Bellcore’s implementation of this scheme [Haller, 1994], known as
      S/Key, goes a step further. While logged on to a secure machine, the user can run a program that
      calculates the next several login sequences, and encodes these as a series of short words. A printed
      copy of this list can be used while traveling. The user must take care to cross off each password
      as it is used. To be sure, this list is vulnerable to theft, and there is no provision for a PIN. S/Key
      can also run on a PC.
           An implementation of S/Key as part of a full firewall configuration is described in [Avolio and
      Ranum, 1994].

      5.1.3 Smart Cards
      A smart card is a portable device that has a CPU, some input/output ports, and a few thousand bytes
      of nonvolatile memory that is accessible only through the card’s CPU. If the reader is properly
      integrated with the user’s login terminal or workstation, the smart card can perform any of the
      validation techniques just described, but without their weaknesses. Smart cards are “something
      you have,” though they are often augmented by “something you know”, a PIN.
          Some smart cards have hand-held portable readers. Some readers are now available in the
      PCMCIA format.
          Consider the challenge/response scheme. As normally implemented, the host would need to
      possess a copy of the user’s secret key. This is a danger; the key database is extremely sensitive,
      and should not be stored on ordinary computers. One could avoid that danger by using public-key
      cryptographic techniques (Section 13.1.4), but there’s a problem: The output from all known
      public key algorithms is far too long to be typed conveniently, or even to be displayed on a small
      screen. A smart card, though, can not only do the calculations, it can transmit them directly to the
      host via its I/O ports. For that matter, it could read the challenge that way, too, and simply require
      a PIN to enable access to its memory.

      5.1.4 Biometrics
      The third method of authenticating a user attempts to measure something intrinsic to the user.
      This could be something like a fingerprint, a voiceprint, or a signature. Obviously, special
      hardware is required, which limits the applicability of biometric techniques to comparatively few
      environments. The attraction is that a biometric identifier can neither be given away nor stolen.
Host-to-Host Authentication                                                                               123


            In practice, there are some limitations. Conventional security wisdom says that authentication
        data should be changed regularly. This is difficult to do with a fingerprint. Some methods have
        encountered user resistance; Davies and Price [1989] cite a lip-print reader as one example. Also,
        by their very nature, biometrics do not give exact answers. No two signatures are absolutely
        identical, even from the same individual, and discounting effects such as exhaustion, mood, or
        illness. Some tolerance must be built into the matching algorithm. Would you let someone log in
        if you were 93% sure of the caller’s identity?
            Some systems use smart cards to store the biometric data about each user. This avoids the
        need for host databases, instead relying on the security of the card to prevent tampering. It is also
        possible to incorporate a random challenge from the host in the protocol between the smart card
        and the user, thus avoiding replay attacks.
            As of now, we are unaware of any routine use of biometric data on the Internet. But as
        microphone-equipped machines become more common, usage may start to spread.


5.2     Host-to-Host Authentication
        5.2.1 Network-Based Authentication
        For better or worse, the dominant form of host-to-host authentication on the Internet today relies
        on the network. That is, the network itself conveys not just the remote user’s identity, but is also
        presumed to be sufficiently accurate that one can use it as an authenticated identity. As we have
        seen, this is dangerous. Network authentication itself comes in two flavors, address-based and
        name-based. For the former, the source’s numeric IP address is accepted. Attacks on this form
        consist of sending something from a fraudulent address. The accuracy of the authentication thus
        relies on the difficulty of detecting such impersonations—and detecting them can be very hard.
            Name-based authentication is weaker still. It requires that not just the address be correct, but
        also the name associated with that address. This opens up a separate avenue of attack for the
        intruder: corrupting whatever mechanism is used to map IP addresses to host names. The attacks
        on the DNS (Section 2.3) attempt to exploit this path.

        5.2.2 Cryptographic Techniques
        Cryptographic techniques provide a much stronger basis for authentication. While the techniques
        vary widely (see Chapter 13 for some examples), they all rely on the possession of some “secret”
        or cryptographic key. Possession of this secret is equivalent to proof that you are the party known
        to hold it. The hand-held authenticators discussed earlier are a good example.
            If you share a given key with exactly one other party, and receive a message that was encrypted
        with that key, you know who must have sent it. No one else could have generated it. (To be sure,
        an enemy can record an old message, and retransmit it later. This is known as a replay attack.)
            You usually do not share a key with every other party with whom you wish to speak. The
        common solution to this is a Key Distribution Center (KDC) [Needham and Schroeder, 1978,
        1987; Denning and Sacco, 1981]. Each party shares a key—and hence some trust—with the KDC.
        The center acts as an intermediary when setting up calls. While the details vary, the party initiating
124                                                                                     Authentication


      the call will contact the KDC and send an authenticated message that names the other party to the
      call. The KDC can then prepare a message for the other party, and authenticate it with the key
      the two of them share. At no time will the caller ever learn the recipient’s secret key. Kerberos
      (Section 13.2) is a well-known implementation of a KDC.
          While cryptographic authentication has many advantages, a number of problems have blocked
      its widespread use. The two most critical ones are the need for a secure KDC, and the difficulty
      of keeping a host’s key secret. For the former, one must use a dedicated machine, in a physically
      secure facility, or use a key exchange protocol based on public key cryptography. Anyone who
      compromises the KDC can impersonate any of its clients. Similarly, anyone who learns a host’s
      key can impersonate that host and, in general, any of the users on it. This is a serious problem,
      since computers are not very good at keeping long-term secrets. The best solution is specialized
      cryptographic hardware—keep the key on a smart card, perhaps—but even that is not a guaranteed
      solution, because someone who has penetrated the machine can tell the cryptographic hardware
      what to do.

Contenu connexe

En vedette

Declare his glory
Declare his gloryDeclare his glory
Declare his gloryFer Nanda
 
Precisam se de loucos
Precisam se de loucosPrecisam se de loucos
Precisam se de loucosFer Nanda
 
จงขอบคุณพระเจ้าตลอดเวลา 11.7.10 ready
จงขอบคุณพระเจ้าตลอดเวลา 11.7.10 readyจงขอบคุณพระเจ้าตลอดเวลา 11.7.10 ready
จงขอบคุณพระเจ้าตลอดเวลา 11.7.10 readypannily
 
Convention Federsalus Parma 20 06 09 Fiorani En
Convention Federsalus Parma 20 06 09 Fiorani EnConvention Federsalus Parma 20 06 09 Fiorani En
Convention Federsalus Parma 20 06 09 Fiorani EnMarco Fiorani
 
H/ACA(like) sRNA in Archaea
H/ACA(like) sRNA in ArchaeaH/ACA(like) sRNA in Archaea
H/ACA(like) sRNA in ArchaeaFabrice Leclerc
 
Actionable Transparency for Healthcare Data
Actionable Transparency for Healthcare DataActionable Transparency for Healthcare Data
Actionable Transparency for Healthcare DatajHealth Unlimited
 
The path towards a recognisable and recognised quality in the nutraceutical i...
The path towards a recognisable and recognised quality in the nutraceutical i...The path towards a recognisable and recognised quality in the nutraceutical i...
The path towards a recognisable and recognised quality in the nutraceutical i...Marco Fiorani
 
"Reclamejongens (m/v)" De paria's van de samenleving? Uitdagingen voor de sec...
"Reclamejongens (m/v)" De paria's van de samenleving? Uitdagingen voor de sec..."Reclamejongens (m/v)" De paria's van de samenleving? Uitdagingen voor de sec...
"Reclamejongens (m/v)" De paria's van de samenleving? Uitdagingen voor de sec...Chris Van Roey
 
As provacoes
As provacoesAs provacoes
As provacoesFer Nanda
 
Cotillones fin de curso
Cotillones fin de cursoCotillones fin de curso
Cotillones fin de cursomyelitz
 

En vedette (20)

Name search
Name searchName search
Name search
 
Forest dog series
Forest dog seriesForest dog series
Forest dog series
 
G2 scse 07-apr-13_display
G2 scse 07-apr-13_displayG2 scse 07-apr-13_display
G2 scse 07-apr-13_display
 
Declare his glory
Declare his gloryDeclare his glory
Declare his glory
 
Precisam se de loucos
Precisam se de loucosPrecisam se de loucos
Precisam se de loucos
 
จงขอบคุณพระเจ้าตลอดเวลา 11.7.10 ready
จงขอบคุณพระเจ้าตลอดเวลา 11.7.10 readyจงขอบคุณพระเจ้าตลอดเวลา 11.7.10 ready
จงขอบคุณพระเจ้าตลอดเวลา 11.7.10 ready
 
Convention Federsalus Parma 20 06 09 Fiorani En
Convention Federsalus Parma 20 06 09 Fiorani EnConvention Federsalus Parma 20 06 09 Fiorani En
Convention Federsalus Parma 20 06 09 Fiorani En
 
F2 scse 06-apr-13_display
F2 scse 06-apr-13_displayF2 scse 06-apr-13_display
F2 scse 06-apr-13_display
 
B2_Slot_SCSE_Display_18-02-2013
B2_Slot_SCSE_Display_18-02-2013B2_Slot_SCSE_Display_18-02-2013
B2_Slot_SCSE_Display_18-02-2013
 
H/ACA(like) sRNA in Archaea
H/ACA(like) sRNA in ArchaeaH/ACA(like) sRNA in Archaea
H/ACA(like) sRNA in Archaea
 
Actionable Transparency for Healthcare Data
Actionable Transparency for Healthcare DataActionable Transparency for Healthcare Data
Actionable Transparency for Healthcare Data
 
The path towards a recognisable and recognised quality in the nutraceutical i...
The path towards a recognisable and recognised quality in the nutraceutical i...The path towards a recognisable and recognised quality in the nutraceutical i...
The path towards a recognisable and recognised quality in the nutraceutical i...
 
D2 scse 04-apr-13_display
D2 scse 04-apr-13_displayD2 scse 04-apr-13_display
D2 scse 04-apr-13_display
 
E1 slot display
E1 slot displayE1 slot display
E1 slot display
 
Aprendi
AprendiAprendi
Aprendi
 
SCSE_Display_c1_slot_22-08-2012
SCSE_Display_c1_slot_22-08-2012SCSE_Display_c1_slot_22-08-2012
SCSE_Display_c1_slot_22-08-2012
 
"Reclamejongens (m/v)" De paria's van de samenleving? Uitdagingen voor de sec...
"Reclamejongens (m/v)" De paria's van de samenleving? Uitdagingen voor de sec..."Reclamejongens (m/v)" De paria's van de samenleving? Uitdagingen voor de sec...
"Reclamejongens (m/v)" De paria's van de samenleving? Uitdagingen voor de sec...
 
As provacoes
As provacoesAs provacoes
As provacoes
 
Cotillones fin de curso
Cotillones fin de cursoCotillones fin de curso
Cotillones fin de curso
 
A2 scse 01-apr-13
A2 scse 01-apr-13A2 scse 01-apr-13
A2 scse 01-apr-13
 

Similaire à Cryptographic authentication

Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing CassandraInstaclustr
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing CassandraDataStax Academy
 
Hacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningHacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningSumutiu Marius
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorunNimrod Levy
 
Nimrod duck hunter copy
Nimrod duck hunter   copyNimrod duck hunter   copy
Nimrod duck hunter copyNimrod Levy
 
Liferay hardening principles
Liferay hardening principlesLiferay hardening principles
Liferay hardening principlesAmbientia
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Mary Racter
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Tomek Cejner
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 

Similaire à Cryptographic authentication (20)

Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing Cassandra
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing Cassandra
 
Hacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningHacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie Poisoning
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
 
Nimrod duck hunter copy
Nimrod duck hunter   copyNimrod duck hunter   copy
Nimrod duck hunter copy
 
Liferay hardening principles
Liferay hardening principlesLiferay hardening principles
Liferay hardening principles
 
otp crid cards
otp crid cardsotp crid cards
otp crid cards
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation Vulnerabilities
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 

Dernier

Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxMYDA ANGELICA SUAN
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICESayali Powar
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxKatherine Villaluna
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice documentXsasf Sfdfasd
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17Celine George
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 

Dernier (20)

Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptx
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICE
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptx
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice document
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 

Cryptographic authentication

  • 1. ©Copyright 1994 AT&T and Lumeta Corporation. All Rights Reserved. Notice: For personal use only. These materials may not be reproduced or distributed in any form or by any means except that they may be downloaded from this source and printed for personal use. 5 Authentication “Who are you, Master?” he asked. “Eh, what?” said Tom sitting up, and his eyes glinting in the gloom. “Don’t you know my name yet? That’s the only answer. Tell me, who are you, alone, yourself and nameless.” Lord of the Rings —J.R.R. TOLKIEN Authentication is the process of proving one’s identity. This is distinct from the assertion of identity (known, reasonably enough, as identification) and from deciding what privileges accrue to that identity (authorization). While all three are important, authentication is the trickiest from the perspective of network security. We are concerned here with two forms of authentication, that of a user to a machine during an initial login sequence, and machine-to-machine authentication during operation. Solutions to the first problem are typically categorized as “something you know,” “something you have,” and “something you are.” Machine-to-machine authentication is generally divided into two types: “cryptographic” and “other.” (Some would say “cryptographic” and “weak.”) The level of authentication depends on the importance of the asset, and the cost of the method. Should you use hand-held authenticators for logins from the outside? What about from the inside? What sort of authentication do you want for outgoing calls? How about privileged (root) access to machines? For that matter, who will maintain the firewall’s authentication databases? In many environments, a single firewall serves the entire organization, which makes tracking personnel that much harder. Would a scheme that does not require databases be better? Many options are listed in this chapter. 119
  • 2. 120 Authentication 5.1 User Authentication 5.1.1 Passwords There is little more to say here about passwords; we already discussed it at some length in Section 1.3.3 and will discuss it further in 9.1. As a means of personal authentication, passwords are categorized as “something you know.” This is an advantage because no special equipment is required to use them, and also a disadvantage because what you know can be told to someone else, or guessed, or captured. No security expert we know of regards passwords as a strong authentication mechanism. Nevertheless, they are unlikely to disappear any time soon, because they are simple, cheap, and convenient. 5.1.2 One-Time Passwords One can achieve a significant increase in security by using one-time passwords. A one-time password behaves exactly as its name indicates: It is used exactly once, after which it is no longer valid. This provides a very strong defense against eavesdroppers, compromised telnet commands, and even publication of login sessions. (See Figure 5.1 on page 121 for an example of the latter.) There are a number of possible ways to implement one-time password schemes. The best known involve the use of some sort of hand-held authenticator , also known as a dongle or a token. One common form of authenticator contains an internal clock, a secret key of some sort, and a display. The display shows some function of the current time and the secret key. This output value, which is used as the authentication message, changes about once per minute. (The use of cryptography to implement such functions is described in Chapter 13.) These “passwords” are never repeated. The host validates the user by using its copy of the secret key and its clock to calculate the expected output value. If they match, the login is accepted. In practice, clock skew between the device and the host can be a problem. To guard against this, several candidate passwords are computed, and the user’s value is matched against the entire set. A database accessible to the host keeps track of the device’s clock skew to help minimize the time window. But this introduces another problem: A password could be replayed during the clock skew interval. A proper implementation should cache all received passwords during their valid lifetime; attempted reuses should be rejected and logged. A different one-time password system uses a nonrepeating challenge from the host instead of a clock. Again, the user has a device that is programmed with a secret key. The challenge is keyed into the device, which calculates some function of it and the key, and this value serves as the password. Since there is no clock involved, there is no clock skew, and hence no need for a cache. On the other hand, the device must have a keypad, and the user must transcribe the challenge. Some have complained about this extra step. A sample telnet session through our gateway is shown in Figure 5.1.
  • 3. User Authentication 121 $ telnet guard.research.att.com Trying... Connected to guard.research.att.com. Escape character is ˆ] . This is the new inet. Authorized use only. Authentication Server. Id? ches challenge: 48201 response: d2c3f97d TCP host name? cetus rlogin cetus -e -8 -l ches IRIX Release 4.0.5C System V cetus.research.att.com Copyright 1987-1992 Silicon Graphics, Inc. All Rights Reserved. cetus=; exit Connection closed.Connection closed by foreign host. $ Figure 5.1: The full text of an actual terminal session using our challenge/response-based guard. The challenge is random, and will rarely, if ever, be repeated. An enemy cannot replay an old response, because it is derived from the challenge, which should be different for each session. The parameters on the rlogin command prevent a shell escape to the gateway machine. A modified rlogin would probably be better. Challenge/response identification is derived from the Identification Friend or Foe (IFF) devices used by military aircraft [Diffie, 1988]. It, in turn, is derived from the traditional way a military sentry challenges a possible intruder. Both of these schemes involve “something you have,” a device that is subject to theft. The usual defense is to add “something you know” in the form of some sort of personal identification number (PIN). An attacker would need possession of both the PIN and the device to impersonate the user. (Note that the PIN is really a password used to log in to the hand-held authenticator. Although PINs can be very weak, as anyone in the automatic teller machine card business can testify [Anderson, 1993], the combination of the two factors is quite strong.) Also, either approach must have the key accessible to the host, unless an authentication server is used. The key database can be a weakness and must be protected. Many people carry a computer around these days. These algorithms, and especially the following, are easily implemented in a portable machine. Lamport proposed a one-time password scheme [Lamport, 1981] that can be implemented without special hardware. Assume there is some function that is reasonably easy to compute   in the forward direction but effectively impossible to invert. (The cryptographic hash functions
  • 4. 122 Authentication described in Section 13.1.7 are good candidates.) Further assume that the user has some secret—   perhaps a password— . To enable the user to log in some number of times, the host calculates   ¤  ¢ £ ¡ that number of times. Thus, to allow 1000 logins before a password change, the host would £ ¤  ¡ calculate 1000 , and store only that value.   The first time the user logs in, he or she would supply 999 . The system would validate   £ ¥  ¡ that by calculating ¡   ¦   999 ©§¤  ¡ ¨ ££   1000 ¥  ¡ £ £ ¤  ¡ If the login is correct, the supplied password— 999 —becomes the new stored value. This is   £ ¤  ¡ used to validate 998 , the next password to be supplied by the user.   The user’s calculation of £¤  ¤   ¡ can be done by a hand-held authenticator or a trusted work- station or portable computer. Bellcore’s implementation of this scheme [Haller, 1994], known as S/Key, goes a step further. While logged on to a secure machine, the user can run a program that calculates the next several login sequences, and encodes these as a series of short words. A printed copy of this list can be used while traveling. The user must take care to cross off each password as it is used. To be sure, this list is vulnerable to theft, and there is no provision for a PIN. S/Key can also run on a PC. An implementation of S/Key as part of a full firewall configuration is described in [Avolio and Ranum, 1994]. 5.1.3 Smart Cards A smart card is a portable device that has a CPU, some input/output ports, and a few thousand bytes of nonvolatile memory that is accessible only through the card’s CPU. If the reader is properly integrated with the user’s login terminal or workstation, the smart card can perform any of the validation techniques just described, but without their weaknesses. Smart cards are “something you have,” though they are often augmented by “something you know”, a PIN. Some smart cards have hand-held portable readers. Some readers are now available in the PCMCIA format. Consider the challenge/response scheme. As normally implemented, the host would need to possess a copy of the user’s secret key. This is a danger; the key database is extremely sensitive, and should not be stored on ordinary computers. One could avoid that danger by using public-key cryptographic techniques (Section 13.1.4), but there’s a problem: The output from all known public key algorithms is far too long to be typed conveniently, or even to be displayed on a small screen. A smart card, though, can not only do the calculations, it can transmit them directly to the host via its I/O ports. For that matter, it could read the challenge that way, too, and simply require a PIN to enable access to its memory. 5.1.4 Biometrics The third method of authenticating a user attempts to measure something intrinsic to the user. This could be something like a fingerprint, a voiceprint, or a signature. Obviously, special hardware is required, which limits the applicability of biometric techniques to comparatively few environments. The attraction is that a biometric identifier can neither be given away nor stolen.
  • 5. Host-to-Host Authentication 123 In practice, there are some limitations. Conventional security wisdom says that authentication data should be changed regularly. This is difficult to do with a fingerprint. Some methods have encountered user resistance; Davies and Price [1989] cite a lip-print reader as one example. Also, by their very nature, biometrics do not give exact answers. No two signatures are absolutely identical, even from the same individual, and discounting effects such as exhaustion, mood, or illness. Some tolerance must be built into the matching algorithm. Would you let someone log in if you were 93% sure of the caller’s identity? Some systems use smart cards to store the biometric data about each user. This avoids the need for host databases, instead relying on the security of the card to prevent tampering. It is also possible to incorporate a random challenge from the host in the protocol between the smart card and the user, thus avoiding replay attacks. As of now, we are unaware of any routine use of biometric data on the Internet. But as microphone-equipped machines become more common, usage may start to spread. 5.2 Host-to-Host Authentication 5.2.1 Network-Based Authentication For better or worse, the dominant form of host-to-host authentication on the Internet today relies on the network. That is, the network itself conveys not just the remote user’s identity, but is also presumed to be sufficiently accurate that one can use it as an authenticated identity. As we have seen, this is dangerous. Network authentication itself comes in two flavors, address-based and name-based. For the former, the source’s numeric IP address is accepted. Attacks on this form consist of sending something from a fraudulent address. The accuracy of the authentication thus relies on the difficulty of detecting such impersonations—and detecting them can be very hard. Name-based authentication is weaker still. It requires that not just the address be correct, but also the name associated with that address. This opens up a separate avenue of attack for the intruder: corrupting whatever mechanism is used to map IP addresses to host names. The attacks on the DNS (Section 2.3) attempt to exploit this path. 5.2.2 Cryptographic Techniques Cryptographic techniques provide a much stronger basis for authentication. While the techniques vary widely (see Chapter 13 for some examples), they all rely on the possession of some “secret” or cryptographic key. Possession of this secret is equivalent to proof that you are the party known to hold it. The hand-held authenticators discussed earlier are a good example. If you share a given key with exactly one other party, and receive a message that was encrypted with that key, you know who must have sent it. No one else could have generated it. (To be sure, an enemy can record an old message, and retransmit it later. This is known as a replay attack.) You usually do not share a key with every other party with whom you wish to speak. The common solution to this is a Key Distribution Center (KDC) [Needham and Schroeder, 1978, 1987; Denning and Sacco, 1981]. Each party shares a key—and hence some trust—with the KDC. The center acts as an intermediary when setting up calls. While the details vary, the party initiating
  • 6. 124 Authentication the call will contact the KDC and send an authenticated message that names the other party to the call. The KDC can then prepare a message for the other party, and authenticate it with the key the two of them share. At no time will the caller ever learn the recipient’s secret key. Kerberos (Section 13.2) is a well-known implementation of a KDC. While cryptographic authentication has many advantages, a number of problems have blocked its widespread use. The two most critical ones are the need for a secure KDC, and the difficulty of keeping a host’s key secret. For the former, one must use a dedicated machine, in a physically secure facility, or use a key exchange protocol based on public key cryptography. Anyone who compromises the KDC can impersonate any of its clients. Similarly, anyone who learns a host’s key can impersonate that host and, in general, any of the users on it. This is a serious problem, since computers are not very good at keeping long-term secrets. The best solution is specialized cryptographic hardware—keep the key on a smart card, perhaps—but even that is not a guaranteed solution, because someone who has penetrated the machine can tell the cryptographic hardware what to do.