1 / 29

Authentication in Networks Advanced Network Security Peter Reiher August, 2014

Authentication in Networks Advanced Network Security Peter Reiher August, 2014. Outline. The basic authentication problem Authentication options for networks Practical authentication in the Internet. Authentication in a Network. I’m Bill!. The network. Authenticator. Subject.

jjaclyn
Télécharger la présentation

Authentication in Networks Advanced Network Security Peter Reiher August, 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication in NetworksAdvanced Network Security Peter ReiherAugust, 2014

  2. Outline • The basic authentication problem • Authentication options for networks • Practical authentication in the Internet

  3. Authentication in a Network I’m Bill! The network Authenticator Subject How can the authenticator be sure that the subject really is Bill?

  4. Issues to Consider • The parties can only use the network to communicate • Implying that authentication works using bit patterns • Bits are easy to copy • Networks can be eavesdropped upon • No inherent guarantee that next packet is related to last packet • Must we authenticate each packet?

  5. Authentication Options • Authentication usually performed in one of three ways: • Authenticate by what you know • Authenticate by what you have • Authenticate by what you are • How well do these work in network settings?

  6. Authentication By What You Know Passwords Cryptographic keys Security question responses Usually, the authenticating entity asks for some knowledge The subject must provide the right knowledge

  7. How It Works in a Network OK, here’s Bill’s secret I’m Bill! Prove it! BILL! The network Authenticator Subject If it’s the right secret,

  8. Potential Problem #1 Attackers might guess the secret I’m Bill! I wonder what Bill’s Secret might be . . . Maybe it’s . . . And here’s my secret BILL!

  9. What Does This Mean? • The secret must be unguessable • Not either simple or obvious • Bad examples: • Short passwords • Something related openly to subject’s identity (like his name)

  10. Potential Problem #2 OK, here’s Bill’s secret I’m Bill! Prove it! Eavesdroppers can overhear and replay the secret I’m Bill! BILL! And here’s my secret The network Authenticator Subject BILL! Bill’s secret

  11. What Does This Mean? • Either the attacker must be unable to eavesdrop • Which may be true, but can be impossible to guaranteed • Or he must be unable to use what he hears • How to achieve the latter? • Proper crypto

  12. What Do We Mean By “Proper Crypto”? Not just a strong cipher (e.g., AES) But also something that cannot be replayed If the attacker can copy and replay the encrypted secret, crypto didn’t help

  13. Improper Crypto OK, here’s Bill’s secret I’m Bill! Prove it! The stolen encrypted authentication information decrypts to the secret! I’m Bill! BILL! And here’s my secret The network Authenticator Subject BILL! Bill’s secret

  14. How Do We Solve the Problem? • Use a different crypto key each time • Making sure only the real Bill could have it • Or use the same key, but include a different nonce • Either way, require “Bill” to encrypt his secret differently each time

  15. The General Problem for Network Authentication • If you authenticate by what you know • You’d better make sure no one else knows it • Which means asking for something different each time • Different piece of knowledge • Different encryption of same piece

  16. Authentication by What You Have • Certificates • Security tokens of various sorts • Challenge is you must prove possession across a network • Unlike in person, when you can just show the item (e.g., passport)

  17. How It Works in a Network OK, here’s proof that I have the special item I’m Bill! Prove it! BILL! Note the similarity to the previous approach! The network Authenticator Subject If the proof is sufficiently convincing . . .

  18. What’s The Same?What’s Different • What’s the same? • The authenticator gets a bunch of bits over the network • If they’re right, he authenticates • What’s different? • How the bits get created • That’s where we can improve things

  19. How Should This Work? • The weakness of authentication by what you know was the secret • If the secret got out, the authentication failed • What if it’s a different secret every time? • No problem with eavesdropping • No replay issues • Authenticating by what you have helps if the item generates new bitsevery time

  20. Generating New Bits • Typically requires an active computing device • Something with memory and processing capability • On each request, it generates a fresh response • The authenticator must be able to check the response for correctness

  21. How To Generate the New Bits? • Challenge/response • The authenticator sends a random number • The device encrypts it with its secret key • The authenticator checks the encryption • Hash chains • The device generates new bits using a cryptographic hash of the last set of bits • The authenticator determines if the bits are the next in the chain

  22. Some Difficulties • The authenticator must share a secret with the device • Unless you use PK • But still requires pre-arrangement • Problems if hash chain gets out of sync with authenticator • Solvable using clocks, instead of sequence • Requires rough clock synchronization

  23. Weakness of the Approach Loss of special device makes it impossible to authenticate Theft of device may allow thief to improperly authenticate Must pre-arrange to have authentication device in users’ hands

  24. An “Engineering” Approach Use a smart phone instead of security token Most people have smart phones They have compute, storage, and communications capabilities They also have a unique number (telephone number) that contacts them (maybe . . .) Authenticate by asking app on the smart phone to handle challenge/response Solves some problems, adds others

  25. Authentication By What You Are • Prove your identity with biometrics • Fingerprints, face recognition, retinal scans, etc. • Provide that information to the authenticator • He checks against a stored version

  26. How It Works in a Network OK, here’s my fingerprint information I’m Bill! Prove it! BILL! Note the similarity to the previous approaches! The network Authenticator Subject If it’s a good match for Bill’s known fingerprint information . . .

  27. Biometrics and Networks • Not a particularly good match • The biometric information is converted to bits and sent across the network • The receiver has no idea how the bits were created • Fresh biometric reading? • Saved version of previous reading? • Stolen copy of a reading?

  28. Biometrics and Non-Human Authentication • Biometrics can’t be used to authenticate computers or programs • Only people (or perhaps animals) • Maybe there are some characteristics of computers that are similar • Maybe not • A question for research

  29. A Common Issue for Network Authentication Ultimately, you’re getting a bundle of bits packaged in one or more packets It’s hard to guarantee how the bits were created It’s easy to copy bundles of bits Whatever authentication mechanism is used, it must handle that problem

More Related