1 / 36

Security Fundamentals Entity Authentication M echanisms

Security Fundamentals Entity Authentication M echanisms. 4/2011. 4-1 Continued.

mliss
Télécharger la présentation

Security Fundamentals Entity Authentication M echanisms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Fundamentals Entity Authentication Mechanisms 4/2011

  2. 4-1 Continued Entity authentication is a technique designed to let one party prove the identity of another party. An entity can be a person, a process, a client, or a server. The entity whose identity needs to be proved is called the claimant; the party that tries to prove the identity of the claimant is called the verifier.

  3. 4-1 Continued There are two differences between message authentication (data-origin authentication) and entity authentication, discussed in this chapter. • Message authentication might not happen in real time; entity authentication does. • Message authentication simply authenticates one message; the process needs to be repeated for each new message. Entity authentication authenticates the claimant for the entire duration of a session.

  4. 4-1 Continued Something known Something possessed Something inherent

  5. 4-2 PASSWORDS The simplest and oldest method of entity authentication is the password-based authentication, where the password is something that the claimant knows.

  6. 4-2 Continued First Approach User ID and password file

  7. 4-2 Continued Second Approach Hashing the password

  8. 4-2 Continued Third Approach Salting the password

  9. 4-2 Continued Fourth Approach In the fourth approach, two identification techniques are combined. A good example of this type of authentication is the use of an ATM card with a PIN (personal identification number).

  10. 4-2 Continued One-Time Password First Approach In the first approach, the user and the system agree upon a list of passwords. Second Approach In the second approach, the user and the system agree to sequentially update the password. Third Approach In the third approach, the user and the system create a sequentially updated password using a hash function.

  11. 4-2 Continued Lamportone-time password

  12. 4-3 CHALLENGE-RESPONSE In password authentication, the claimant proves her identity by demonstrating that she knows a secret, the password. In challenge-response authentication, the claimant proves that she knows a secret without sending it.

  13. 4-3 Continued In challenge-response authentication, the claimant proves that she knows a secret without sending it to the verifier. The challenge is a time-varying value sent by the verifier; the response is the result of a function applied on the challenge.

  14. 4-3 Continued First Approach Nonce challenge

  15. 4-3 Continued Second Approach Timestamp challenge

  16. 4-3 Continued Third Approach. Bidirectional authentication

  17. 4-3 Continued Using Keyed-Hash Functions Instead of using encryption/decryption for entity authentication, we can also use a keyed-hash function (MAC). Keyed-hash function

  18. 4-3 Continued Using an Asymmetric-Key Cipher First Approach Unidirectional, asymmetric-key authentication

  19. 4-3 Continued Second Approach Bidirectional, asymmetric-key

  20. 4-3 Continued Using Digital Signature First Approach Digital signature, unidirectional

  21. 4-3 Continued Second Approach Digital signature, bidirectional authentication

  22. 4-4 ZERO-KNOWLEDGE In zero-knowledge authentication, the claimant does not reveal anything that might endanger the confidentiality of the secret. The claimant proves to the verifier that she knows a secret, without revealing it. The interactions are so designed that they cannot lead to revealing or guessing the secret. Fiat-Shamir Protocol Feige-Fiat-Shamir Protocol Guillou-Quisquater Protocol

  23. 4-4 Continued Fiat-Shamir protocol

  24. 4-4 Continued Cave Example

  25. 4-4 Continued Feige-Fiat-Shamir protocol

  26. 4-4 Continued Guillou-Quisquaterprotocol

  27. 4-4 Continued Guillou-Quisquaterprotocol

  28. 4-5 BIOMETRICS Biometrics is the measurement of physiological or behavioral features that identify a person (authentication by something inherent). Biometrics measures features that cannot be guessed, stolen, or shared. Components Enrollment Authentication Techniques Accuracy Applications

  29. 4-5 Continued Components Several components are needed for biometrics, including capturing devices, processors, and storage devices..

  30. 4-5 Continued Enrollment Before using any biometric techniques for authentication, the corresponding feature of each person in the community should be available in the database. This is referred to as enrollment.

  31. 4-5 Continued Authentication Verification Identification

  32. 4-5 Continued Techniques

  33. 4-5 Continued Physiological Techniques Fingerprint Hands Iris Voice Retina DNA Face

  34. 4-5 Continued Behavioral Techniques Signature Keystroke

  35. 4-5 Continued Accuracy False Rejection Rate (FRR) False Acceptance Rate (FAR)

  36. 4-5 Continued Applications Several applications of biometrics are already in use. In commercial environments, these include access to facilities, access to information systems, transaction at point-ofsales, and employee timekeeping. In the law enforcement system, they include investigations (using fingerprints or DNA) and forensic analysis. Border control and immigration control also use some biometric techniques.

More Related