1 / 9

Weak Authentication: How to Authenticate Unknown Principals without Trusted Parties

Weak Authentication: How to Authenticate Unknown Principals without Trusted Parties. Jari Arkko & Pekka Nikander Presented by Riku Honkanen. Presentation Outline. ”Cryptographically strong authentication between previously unknown parties without relying on trusted third parties”

kylie-garza
Télécharger la présentation

Weak Authentication: How to Authenticate Unknown Principals without Trusted Parties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Weak Authentication: How to Authenticate Unknown Principals without Trusted Parties Jari Arkko & Pekka Nikander Presented by Riku Honkanen

  2. Presentation Outline • ”Cryptographically strong authentication between previously unknown parties without relying on trusted third parties” • Why weak authentication? • Weak authentication techniques • Classification • Concrete techniques • Technique Analysis • Economic impacts & probabilities

  3. Why Weak Authentication? • If there are no real-world identities/effects • Imperfect security is sometimes enough • Higher cost of strong authentication • Current & potential applications: • Personal area networks • Secure Shell (SSH) • Session Initiation Protocol (SIP) • Multi-homing • Mobilitity

  4. Technique Categories (1/2) • Spatial Separation • Ensuring that the peer is on a certain path • Temporal Separation • Peers relate past & current communications • Asymmetric Costs • Cost of attack is higher than cost of defense • Application Semantics • Cryptographic properties of identifiers

  5. Technique Categories (2/2) • Combined and Transitive Techniques • The mentioned categories can be combined for improved security • Time and location as main dimensions Same peer, different location Time Same peer One time use Over a specific path Location

  6. Concrete Techniques • Anonymous Encryption - temporal • e.g. unauthenticated Diffie-Hellman secures a single session • Challenge-Response - spatial • Freshness and peer on a certain path • Leap-of-Faith – temporal, spatial, asymmetric cost • Unauthenticated at start of first connection • Following connections authenticated • Cryptographically Generated Addresses – spatial & application • Opportunistic IPSec

  7. Technique Analysis • Anonymous Encryption • Vulnurable for man-in-the-middle attack in the beginning of the session • Benefits community more than a single user • Challenge-Response • Probability of a certain path having an attacker • Leap-of-Faith • Uncertainty gets smaller when number of connections increases between specific peers

  8. Economic Impacts & Probabilities • Cost of attack vs. cost of defense • Weak authentication may be enough to raise the cost of the attack to multiples of cost of the defense • Probability of the attack • Weak authentication may lower the probability of an attacker being present significantly • Economics and probabilities should be understood before application protocol design

  9. Summary • Weak authentication is good enough for some applications • Basic WA techniques can provide significant advantage with low cost • Importance of uncertainty, probability and economic impact analysis • the results may be surprising

More Related