authentication approaches over internet jia li [email protected]

23
Authentication Authentication Approaches Approaches over Internet over Internet Jia Li Jia Li [email protected] [email protected]

Upload: lenard-whitehead

Post on 25-Dec-2015

218 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Authentication Approaches Authentication Approaches over Internet over Internet

Jia LiJia [email protected]@columbia.edu

Page 2: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

What is authentication?

Authentication is a process by which the identity of a user accessing a network or other source of information is verified.

Why do we need authentication? To prevent sniffers from counterfeiting the id

entity of legal users

Page 3: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Authentication approaches

● Username/password Authentication

● Device-based Authentication

○ USB-Key Authentication

○ Dynamic Password Authentication

● Biometric Authentication

Page 4: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Username/password AuthenticationUsername/password Authentication Basic mechanism PAP (password Authentication Protocol)

Client ServerACK/NAK

Password (Plaintxt)

Client Server

Password

Time

Password

Password

Password

ACK

Password is repeatedlySent until a response is

received

Page 5: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Obvious disadvantages

● Passwords are exposed over Internet when transmitted from client to server

● Sniffer can easily steal and read the password, and then counterfeit as the user to send password to the server

A way to prevent plaintext password?

Page 6: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Improved mechanism Encrypt passwords by hash function and random variable

● Hash Function

○ takes in arbitrary block of data and returns a fix-sized bit string as hash value

○ one-way function: extremely difficult to inverse the function and to get its original input data from hash value

○ impossible to modify the original data without changing its hash value

○ there are never two messages having the same hash value

Page 7: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

● Authentication Process

client: send passwords encrypted by hash function to the server

server: compute the expected hash value and compare it with the received hash value from the client

Page 8: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

● Advantages○ passwords are not exposed directly over Inte

rnet○ sniffer cannot know the original password eve

n if he catches the hash value

● disadvantage Sniffers can still counterfeit user’s identity by

sending the hash value it caught to the server without knowing the real password

(because password remains the same)

Page 9: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

● Random variable

To make password different and unique every time it is sent to the server

0 1 1 0 0 1 0 ... 1 0 1 1 1 0

Suppose this is the real password (fixed)

0 0 1 1... 1 0 0

Suppose this is the random variable (changeable)

Page 10: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

● Advantage Sniffers cannot use the information he capture

d in the previous communication to login as the user because password is changeable.

● Disadvantage If final password is still transmitted in plain tex

t, the random variable will not make any sense, because real password is fixed in every different password.

Problem solved by combination

Page 11: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

● Combination of hash function and random variable

● password is changeable

● sniffers cannot get original password from hash value

Password Hash (if MD5, 128 bits; if SHA1, 160 bits)

Random Variable Hash (if MD5, 128 bits; if SHA1, 160 bits)

Page 12: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Device-based AuthenticationDevice-based Authentication USB-key authentication ● Device

○ a hardware device with USB interface ○ stores user’s key in memory disk (PIN) ○ memory space cannot be read or written

directly

Page 13: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

● Authentication Process (impulse/response)

Authentication requirement

A random series of numbers (impulse)

Hash value (response)

Authentication response (ACK/NAK)

Client (USB-key)

Server

Client (USB-key)

Server

Time Authentication requirement

A random series of numbers (impulse)

Hash value (response)

ACK / NAK

1. User enters PIN on web page

2. USB-key applies MD5 to the random series numbers and user’s key

3. Generate a hash value

Page 14: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

● Advantages ○ user’s key is neither exposed onto Internet nor s

tored in the computer ○ the value in every response is different

● Disadvantage Since PIN is still entered via website, sniffers can

get it easily. Once the user failed to push out USB-key in time, sniffers can use PIN they caught to get the authority of the USB-key.

Page 15: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Dynamic password authentication

● Device

○ A small hardware having a LCD with its own battery

○ password generation chip in it can apply a special algorithm to device ID, user’s key and the present time, and then display the password on LCD

Page 16: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

● Authentication processGenerated password

Generated password

ACK / NAK

Client Server

Client Server

Time Authentication requirement (generated password)

ACK / NAK

Page 17: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

● Advantages

○ device ID and user’s key is neither exposed over Internet nor stored in the computer

○ the generated password is changeable every minute

● Disadvantage

The synchronization mechanism should perform very well so that the result computed by the server can correspond to the received value.

Page 18: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Biometric AuthenticationBiometric Authentication What is biometric authentication Biometric authentication is a kind of technique

that authenticates user’s identity by using everyone’s unique biological characteristics, such as face, fingerprint, retina, voice and even action postures.

■ Most reliable because it is unique and cannot be counterfeited

Page 19: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Fingerprint- an ideal way for biometric authentication

● unique, guarantee the one-to-one reflection between user and authentication information

● stable and will not change easily, guarantee the long time validity of the authentication information

● can be scanned quickly and conveniently

● ten different fingerprints, increase the level of security

● the authentication information is not necessary the integrated fingerprint image but can be some essential features. Save storage space in the server.

Page 20: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Authentication process

scanner

client server

Digital presentation of features

ACK / NAK

1. Scanner captures the image of fingerprint

2. The image is put into feature extraction template

3. Full image is translated into reduced presentation of major features

Page 21: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Advantage Reliable!

■ Disadvantage ● device costs much ● the installation and portability of the device

on the client is a problem ● getting the sample of biometric characters is

sometimes not convenient

Page 22: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

ConclusionSecurity Level

plaintxt password Extremely Low

MD5 one-way algorithmsniffers can login withoutknowing password; hasbeen decoded

High

SHA1 one-way algorithmsniffers can login withoutknowing password

Higher

authenticatioinformation randomlychange

password exposure Low

one-way algorithm;randomly chageablepassword

Highest

authenticatioinformationdynamicly change

synchronizationmechanism have to beperfect

Higher

Highest

Device-based

Biometric Unique; cannot be lost, stolen, forgotten, fakedComplexity and cost of device; intallation andportability problem; not convenient

Dynamic password

hash function

HighPIN is entered onwebsite

do not need to rememberpassword; password will notexposed over internet orstored in computer; rawpassword changeable; noteasily attacked

troublesome to carrydevice; easily lost;cost of the device;have to installsoftware

two-factorauthentication

random variable

easily stolen; easilyguess; easilyforgotten; cost ofsupport

Disadvantages

USB-key

combination of HF & RV

Authentication Approach Advantages

least expensive; Nohardware; No software;Users can change passwordsas they want

Username / password

basic mechanism

Page 23: Authentication Approaches over Internet Jia Li jl3272@columbia.edu

Thank you!