Authentication
Terminology
 Authentication ‫التثبت من الهوية‬
 Access Control (authorization)
‫التحكم في الوصول‬
 Note the difference between the two
notions.
Authentication
 Something you know
– user name and password, PIN, secret code, …
 Something you have
– ID card, smart card, cell phone, ATM card,
digital certificate …
 Something you are
– fingerprint, iris, DNA …
(or combinations of the above)
Authentication
 How to authenticate an entity?
– user name and passwords.
– password must be sent over a secure connection!
– In case of insecure connection: Challenge/Response
protocol
1. The authenticator sends a "challenge" message to the peer.
2. The peer responds with a value calculated using a one-way
hash function
3. The authenticator checks the response against its own
calculation of the expected hash value. If the values match,
the authentication succeeds; otherwise it fails.
4. (for additional security) At random intervals, the authenticator
sends a new challenge to the peer, and repeats steps 1-3.
Other Types of Authentication
 Shared-secret based
– both parties share a secret key (or phrase)
 Mutual authentication
– both parties authenticate each other
Simple shared-secret based
cryptographic authentication
Mutual authentication
Other methods of authentication

Digital Certificates
–
–

as we saw earlier in class
similar to “challenge/response”
protocol
CA
Digital
Certificate
Biometrics
–
–
–
scan fingerprint (etc.). convert to template. Compare
templates.
most biometric measures are not precise.
(level of matching)