ECS401: Cryptography and

Network Security

Module 5: Authentication Protocols

Lecture 42
Outline of the lecture
• Remote User Authentication Principles
• Mutual Authentication
• One-way Authentication

2
Remote User Authentication Principles
One of the key aspects of cryptography and network/Internet security is authentication. Authentication helps establish trust
by identifying the particular user/system. Authentication ensures that the claimant is really who he/she claims to be.

There are many ways to authenticate a user. Traditionally, user ids and passwords have been used. But there are many
security concerns in this mechanism.

Passwords can travel in clear text or can be stored in clear text on the server, both of which are dangerous propositions.

Modern password-based authentication techniques use alternatives as encrypting passwords, or using something derived
from the passwords in order to protect them.

Authentication tokens add randomness to the password-based mechanism, and make it far more secure.

This mechanism requires the user to possess the tokens. Authentication tokens are quite popular in applications that
demand high security.

3
Remote User Authentication Principles

In most User
computer authentication is
security the basis for
contexts, user most types of
authentication access control
is the and for user
fundamental accountability.
building block
and the primary
line of defense.

4
Remote User Authentication Principles
The process of verifying an identity claimed by or for a system entity. An authentication process consists of two steps:

Identification step: Presenting an identifier to the

security system. (Identifiers should be assigned Verification step: Presenting or generating
carefully, because authenticated identities are the authentication information that corroborates the
basis for other security services, such as access binding between the entity and the identifier.
control service.)

5
Remote User Authentication Principles
For example, user Alice Toklas could have the user identifier ABTOKLAS.

This information needs to be stored on any server or computer system that Alice wishes to use and could be known to system
administrators and other users.

A typical item of authentication information associated with this user ID is a password, which is kept secret (known only to Alice and
to the system).

If no one is able to obtain or guess Alice’s password, then the combination of Alice’s user ID and password enables administrators to
set up Alice’s access permissions and audit her activity.

Because Alice’s ID is not secret, system users can send her e-mail, but because her password is secret, no one can pretend to be
Alice.

In essence, identification is the means by which a user provides a claimed identity to the system; user authentication is the means of
establishing the validity of the claim.

Note that user authentication is distinct from message authentication. Message authentication is a procedure that allows
communicating parties to verify that the contents of a received message have not been altered and that the source is authentic.
6
Remote User Authentication Principles
There are four general means of authenticating a user’s identity, which can be used alone or in combination:
• Examples include a password, • Examples include
a personal identification cryptographic keys,
number (PIN), or answers to a electronic keycards,
prearranged set of questions. smart cards, and
physical keys. This
type of
authenticator is
Something Something referred to as a
the individual the individual token.
knows possesses

Something
Something
the individual
the individual
does
is (static
(dynamic
biometrics)
biometrics)
• Examples include recognition •Examples include
by voice pattern, handwriting recognition by
characteristics, and typing fingerprint,
rhythm. retina, and face.
7
Remote User Authentication Principles
All of these methods, properly implemented and used, can provide secure user authentication. However, each method has
problems.

Furthermore, there is With respect to

An adversary may be a significant
Furthermore, there is biometric
With respect to For network-based
able to guess or
An adversary steal
may bea administrative
a significant authenticators,
biometric there user authentication,
For network-based
password.
able to guessSimilarly,
or stealana overhead for
administrative are a variety there
authenticators, of the most
user important
authentication,
adversary may
password. be able
Similarly, an managing password
overhead for problems, including
are a variety of methods
the involve
most important
to forgemay
adversary or steal a
be able and token information
managing password dealing with
problems, false
including cryptographic keys and
methods involve
token.
to forgeA or
user may
steal a andon systems
token and
information positives and false
dealing with false somethingkeys
cryptographic the and
forget
token. A user mayor
a password securing
on systemssuch
and negatives,
positives anduser
false individual knows,
something thesuch
losea apassword
forget token. or information
securing suchon acceptance,
negatives, userand
cost, as a password.
individual knows, such
lose a token. systems. on
information convenience.
acceptance, cost, and as a password.
systems. convenience.

8
Mutual Authentication
Central to the problem
of authenticated key • confidentiality
exchange are two • timeliness
issues:

To prevent masquerade and to prevent compromise of session keys, essential identification and session-key
information must be communicated in encrypted form. This requires the prior existence of secret or public keys
that can be used for this purpose.

The second issue, timeliness, is important because of the threat of message replays. Such replays, at worst, could
allow an opponent to compromise a session key or successfully impersonate another party. At minimum, a
successful replay can disrupt operations by presenting parties with messages that appear genuine but are not.

9
 Mutual Authentication
Simple replay: The opponent simply copies a message and replays it later.

Repetition that can be logged: An opponent can replay a timestamped

message within the valid time window.

The following are examples of replay attacks:

Repetition that cannot be detected: This situation could arise because the
original message could have been suppressed and thus did not arrive at its
destination; only the replay message arrives.

Backward replay without modification: This is a replay back to the message

sender. This attack is possible if symmetric encryption is used and the sender
cannot easily recognize the difference between messages sent and messages
received on the basis of content.

10
Mutual Authentication
One approach to coping with replay attacks
is to attach a sequence number to each
message used in an authentication
exchange.

A new message is accepted only if its

sequence number is in the proper order. The
difficulty with this approach is that it
requires each party to keep track of the last
sequence number for each claimant it has
dealt with.

Because of this overhead, sequence

numbers are generally not used for
authentication and key exchange.

11
Mutual Authentication
Instead, one of the following two general approaches is used:

Timestamps: Party A accepts a message as fresh

only if the message contains a timestamp that, in
A’s judgment, is close enough to A’s knowledge of
current time. This approach requires that clocks
among the various participants be synchronized.

Challenge/response: Party A, expecting a fresh

message from B, first sends B a nonce (challenge)
and requires that the subsequent message
(response) received from B contain the correct
nonce value.

12
Timestamps
It can be argued that the timestamp approach should not be used for connection-oriented applications because of the
inherent difficulties with this technique.

Finally, because of the

variable and unpredictable
nature of network delays,
distributed clocks cannot be
Second, the opportunity for a expected to maintain precise
successful attack will arise if synchronization. Therefore,
there is a temporary loss of any timestamp-based
synchronization resulting procedure must allow for a
First, some sort of protocol is from a fault in the clock
needed to maintain window of time sufficiently
mechanism of one of the large to accommodate
synchronization among the parties.
various processor clocks. This network delays yet
protocol must be both fault sufficiently small to minimize
tolerant, to cope with the opportunity for attack.
network errors, and secure,
to cope with hostile attacks.

13
Challenge/response

On the other hand, the

challenge-response
approach is unsuitable for
a connectionless type of For such applications,
application, because it reliance on some sort of
requires the overhead of a secure time server and a
handshake before any consistent attempt by each
connectionless party to keep its clocks in
transmission, effectively synchronization may be
negating the chief the best approach.
characteristic of a
connectionless
transaction.

14
One-Way Authentication
One application for which encryption is growing in popularity is electronic mail (e-mail).

The very nature of electronic mail, and its chief benefit, is that it is not necessary for the sender and receiver to
be online at the same time.

Instead, the e-mail message is forwarded to the receiver’s electronic mailbox, where it is buffered until the
receiver is available to read it.

The “envelope” or header of the e-mail message must be in the clear, so that the message can be handled
by the store-and-forward e-mail protocol, such as the Simple Mail Transfer Protocol (SMTP) or X.400.

However, it is often desirable that the mail-handling protocol not require access to the plaintext form of the
message, because that would require trusting the mail-handling mechanism.

Accordingly, the e-mail message should be encrypted such that the mail-handling system is not in possession of
the decryption key.

A second requirement is that of authentication. Typically, the recipient wants some assurance that the message is
from the alleged sender.
15