1. No category

Lecture 12 - The Laboratory for Advanced Systems Research

Authentication in Networks
Advanced Network Security
Peter Reiher
August, 2014
Advanced Network Security
Lecture 12
Page 1
Outline
• The basic authentication problem
• Authentication options for networks
• Practical authentication in the Internet
Advanced Network Security
Lecture 12
Page 2
Authentication in a Network
I’m Bill!
Subject
The network
Authenticator
How can the authenticator be sure that the
subject really is Bill?
Advanced Network Security
Lecture 12
Page 3
Issues to Consider
• The parties can only use the network to
communicate
– Implying that authentication works using
bit patterns
• Bits are easy to copy
• Networks can be eavesdropped upon
• No inherent guarantee that next packet is
related to last packet
– Must we authenticate each packet?
Advanced Network Security
Lecture 12
Page 4
Authentication Options
• Authentication usually performed in
one of three ways:
• Authenticate by what you know
• Authenticate by what you have
• Authenticate by what you are
• How well do these work in network
settings?
Advanced Network Security
Lecture 12
Page 5
Authentication By What You
Know
•
•
•
•
Passwords
Cryptographic keys
Security question responses
Usually, the authenticating entity asks
for some knowledge
• The subject must provide the right
knowledge
Advanced Network Security
Lecture 12
Page 6
How It Works in a Network
OK,Bill!
here’s
I’m
Prove it!
Bill’s secret
BILL!
The network
Subject
Authenticator
If it’s the right secret,
Advanced Network Security
Lecture 12
Page 7
Potential Problem #1
Attackers might guess
I’m Bill!
the secret
I wonder what
Bill’s
Secret
Maybe
it’s . .
might
be . . .
.
And here’s
my secret
BILL!
Advanced Network Security
Lecture 12
Page 8
What Does This Mean?
• The secret must be unguessable
• Not either simple or obvious
• Bad examples:
– Short passwords
– Something related openly to
subject’s identity (like his name)
Advanced Network Security
Lecture 12
Page 9
Potential Problem #2
Prove it!
BILL!
OK,Bill!
here’s
I’m
Bill’s secret
Eavesdroppers can
overhear and replay theI’m Bill!
secret
Subject
The network
And here’s
my
secret
Authenticator
BILL!
Bill’s secret
Advanced Network Security
Lecture 12
Page 10
What Does This Mean?
• Either the attacker must be unable to
eavesdrop
– Which may be true, but can be
impossible to guaranteed
• Or he must be unable to use what he
hears
• How to achieve the latter?
– Proper crypto
Advanced Network Security
Lecture 12
Page 11
What Do We Mean By “Proper
Crypto”?
• Not just a strong cipher (e.g., AES)
• But also something that cannot be
replayed
• If the attacker can copy and replay the
encrypted secret, crypto didn’t help
Advanced Network Security
Lecture 12
Page 12
Improper Crypto
Prove it!
BILL!
OK,Bill!
here’s
I’m
Bill’s secret
The stolen encrypted
I’m Bill!
authentication
information decrypts to
the secret!
Subject
The network
And here’s
my
secret
Authenticator
BILL!
Bill’s secret
Advanced Network Security
Lecture 12
Page 13
How Do We Solve the Problem?
• Use a different crypto key each time
– Making sure only the real Bill could
have it
• Or use the same key, but include a
different nonce
• Either way, require “Bill” to encrypt
his secret differently each time
Advanced Network Security
Lecture 12
Page 14
The General Problem for
Network Authentication
• If you authenticate by what you know
• You’d better make sure no one else
knows it
• Which means asking for something
different each time
– Different piece of knowledge
– Different encryption of same piece
Advanced Network Security
Lecture 12
Page 15
Authentication by What You
Have
• Certificates
• Security tokens of various sorts
• Challenge is you must prove
possession across a network
– Unlike in person, when you can just
show the item (e.g., passport)
Advanced Network Security
Lecture 12
Page 16
How It Works in a Network
OK, here’s proof
Bill!
thatI’m
I have
the
special item
Prove it!
BILL!
Note the similarity to the previous approach!
The network
Subject
Authenticator
If the proof is sufficiently convincing . . .
Advanced Network Security
Lecture 12
Page 17
What’s The Same?
What’s Different
• What’s the same?
– The authenticator gets a bunch of
bits over the network
– If they’re right, he authenticates
• What’s different?
– How the bits get created
– That’s where we can improve things
Advanced Network Security
Lecture 12
Page 18
How Should This Work?
• The weakness of authentication by what
you know was the secret
– If the secret got out, the authentication
failed
• What if it’s a different secret every time?
– No problem with eavesdropping
– No replay issues
• Authenticating by what you have helps if
the item generates new bits every time
Advanced Network Security
Lecture 12
Page 19
Generating New Bits
• Typically requires an active computing
device
– Something with memory and
processing capability
• On each request, it generates a fresh
response
• The authenticator must be able to
check the response for correctness
Advanced Network Security
Lecture 12
Page 20
How To Generate the New Bits?
• Challenge/response
– The authenticator sends a random number
– The device encrypts it with its secret key
– The authenticator checks the encryption
• Hash chains
– The device generates new bits using a
cryptographic hash of the last set of bits
– The authenticator determines if the bits
are the next in the chain
Advanced Network Security
Lecture 12
Page 21
Some Difficulties
• The authenticator must share a secret with
the device
– Unless you use PK
• But still requires pre-arrangement
• Problems if hash chain gets out of sync with
authenticator
– Solvable using clocks, instead of
sequence
• Requires rough clock synchronization
Advanced Network Security
Lecture 12
Page 22
Weakness of the Approach
• Loss of special device makes it
impossible to authenticate
• Theft of device may allow thief to
improperly authenticate
• Must pre-arrange to have
authentication device in users’ hands
Advanced Network Security
Lecture 12
Page 23
An “Engineering” Approach
• Use a smart phone instead of security token
• Most people have smart phones
• They have compute, storage, and
communications capabilities
• They also have a unique number (telephone
number) that contacts them (maybe . . .)
• Authenticate by asking app on the smart
phone to handle challenge/response
• Solves some problems, adds others
Advanced Network Security
Lecture 12
Page 24
Authentication By What You Are
• Prove your identity with biometrics
– Fingerprints, face recognition, retinal
scans, etc.
• Provide that information to the
authenticator
• He checks against a stored version
Advanced Network Security
Lecture 12
Page 25
How It Works in a Network
OK, here’s my
I’m Bill!
fingerprint
information
Prove it!
BILL!
Note the similarity to the previous approaches!
Subject
The network
Authenticator
If it’s a good match for Bill’s known
fingerprint information . . .
Advanced Network Security
Lecture 12
Page 26
Biometrics and Networks
• Not a particularly good match
• The biometric information is converted
to bits and sent across the network
• The receiver has no idea how the bits
were created
– Fresh biometric reading?
– Saved version of previous reading?
– Stolen copy of a reading?
Advanced Network Security
Lecture 12
Page 27
Biometrics and Non-Human
Authentication
• Biometrics can’t be used to
authenticate computers or programs
– Only people (or perhaps animals)
• Maybe there are some characteristics
of computers that are similar
• Maybe not
• A question for research
Advanced Network Security
Lecture 12
Page 28
A Common Issue for Network
Authentication
• Ultimately, you’re getting a bundle of
bits packaged in one or more packets
• It’s hard to guarantee how the bits
were created
• It’s easy to copy bundles of bits
• Whatever authentication mechanism is
used, it must handle that problem
Advanced Network Security
Lecture 12
Page 29

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz