authentication and types of authentication .ppt
ShahidaRazzaq2
78 views
21 slides
May 05, 2024
Slide 1 of 21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Presentation
authentication and types of authentication
Slide Content
Authentication and Authorization
•Authentication is the process of verifying a
principal’s identity (but how to define
“identity”?)
–Who the person is
–Or, what the person is
•Authorization is the process of determining
whether a principal can perform certain actions
–What the person can do
–Typically based on authentication result
1
•Authentication is the process of verifying a
principal’s identity (but how to define
“identity”?)
–Who the person is
–Or, what the person is
•Authorization is the process of determining
whether a principal can perform certain actions
–What the person can do
–Typically based on authentication result
1
Authentication in Cyber Space
•Authentication based on what you know.
–If you know a secret, then you are linked to an
“identity”
–The secret needs to be associated with the
identity beforehand (authentication state)
•Authentication protocolis the process of
proving that one knows the secret, a.k.a
“credential.”
2
•Authentication based on what you know.
–If you know a secret, then you are linked to an
“identity”
–The secret needs to be associated with the
identity beforehand (authentication state)
•Authentication protocolis the process of
proving that one knows the secret, a.k.a
“credential.”
2
Simple Password Authentication
User Name,
Password
/etc/shadow
Authentication state
3
User Name,
Password
/etc/shadow
Authentication state
3
Password Verification
Hash
Function
User-entered
Password
Password hash
stored on file
e.g./etc/shadow
H1
H1==H2?
H2
OK
FAIL
Y
N
4
Hash
Function
User-entered
Password
Password hash
stored on file
e.g./etc/shadow
H1
H1==H2?
H2
OK
FAIL
Y
N
4
Hash function and salt
•A “salt”is used to increase the input space of a
hash function
–Even though a cryptographic function H is hard to
invert, if the number of possible inputs to H is small, a
brute-force search can easily find the pre-image from
a given hash
–If we append the input string with a salt and apply H
on the whole string, then the number of possible
inputs to the hash function is increased S fold where
S is the number of all possible salts.
–For password hash, the salt is used to mitigate
dictionary attack
5
•A “salt”is used to increase the input space of a
hash function
–Even though a cryptographic function H is hard to
invert, if the number of possible inputs to H is small, a
brute-force search can easily find the pre-image from
a given hash
–If we append the input string with a salt and apply H
on the whole string, then the number of possible
inputs to the hash function is increased S fold where
S is the number of all possible salts.
–For password hash, the salt is used to mitigate
dictionary attack
5
What is a dictionary attack?
•Pre-compute the hash of commonly used
passwords
•Looking up a password from the hash
takes only constant time if the password
falls into the dictionary
6
•Pre-compute the hash of commonly used
passwords
•Looking up a password from the hash
takes only constant time if the password
falls into the dictionary
6
Password verification with salt
Hash
Function
Password
Salt, Hash on file
e.g. /etc/shadow
H1==H2?
H2
OK
FAIL
Y
N
S
7
(S,H1)
Hash
Function
Password
Salt, Hash on file
e.g. /etc/shadow
H1==H2?
H2
OK
FAIL
Y
N
S
7
(S,H1)
Challenge-Response Protocol
•Objective: Bob (prover) convinces Alice (verifier)
that he knows the secret, while not leaking the
secret to anyone (including Alice)
•Threat model: insecure communication channel
–Cryptographic primitives unbreakable
–Attacker can do anything else:
•Intercept messages
•Replace messages
•Inject messages
•Re-order messages
•Encrypt/decrypt a message if he knows the keys
8
•Objective: Bob (prover) convinces Alice (verifier)
that he knows the secret, while not leaking the
secret to anyone (including Alice)
•Threat model: insecure communication channel
–Cryptographic primitives unbreakable
–Attacker can do anything else:
•Intercept messages
•Replace messages
•Inject messages
•Re-order messages
•Encrypt/decrypt a message if he knows the keys
8
Challenge-Response Protocol
•General process
–Verifier picks a challenge message and send it to prover.
–Proverproduces a response using the secret and sends
the response back to the verifier
–Verifier checks whether the response is valid
•Requirements
–Protect Verifier: if Bob does not know the secret, the
protocol shall fail
–Protect Prover: the secret shall not be revealed in the
process, not even to the verifier (computationally infeasible
to infer)
9
•General process
–Verifier picks a challenge message and send it to prover.
–Proverproduces a response using the secret and sends
the response back to the verifier
–Verifier checks whether the response is valid
•Requirements
–Protect Verifier: if Bob does not know the secret, the
protocol shall fail
–Protect Prover: the secret shall not be revealed in the
process, not even to the verifier (computationally infeasible
to infer)
9
Using MAC in authentication
protocol
Alice Bob
Mallory
Secret K Secret K
m, MAC(m,K)
m
10
protocol
Alice Bob
Mallory
Secret K Secret K
m, MAC(m,K)
m
10
Authentication based on
symmetric encryption
Alice Bob
Mallory
Secret key K Secret key K
11
symmetric encryption
Alice Bob
Mallory
Secret key K Secret key K
11
Authentication based on
symmetric encryption
Alice Bob
Mallory
Secret key K Secret key K
12
m
{m}
K
symmetric encryption
Alice Bob
Mallory
Secret key K Secret key K
12
m
{m}
K
Two-party authentication protocol
based on public-key crypto
Alice Bob
Mallory
Bob’s private
key SK
Bob’s public
key PK
… …
13
based on public-key crypto
Alice Bob
Mallory
Bob’s private
key SK
Bob’s public
key PK
… …
13
SSH public key-based
authentication
Secure channel
{m}
K
pub
H(m)
H is a cryptographic
hash function
~/.ssh/id_dsa
Private key K
priv
(Passphrase-protected)
Client
(Bob)
~/.ssh/.authorized_keys
Public key K
pub
Server
(Alice)
14
authentication
Secure channel
{m}
K
pub
H(m)
H is a cryptographic
hash function
~/.ssh/id_dsa
Private key K
priv
(Passphrase-protected)
Client
(Bob)
~/.ssh/.authorized_keys
Public key K
pub
Server
(Alice)
14
SSH Public Key-based
Authentication
•What is a secure channel?
–Messages sent are encrypted by a shared secret key
–Messages are authenticated using MAC
–The SSH public key-based authentication is used by the
server to authenticate the user at the other end of the
secure channel
–SSH also supports other kinds of authentication, such as
password authentication, which needsa secure channel.
•This challenge-response protocol is better than
asking the client to sign a challenge message
–Server gains zero knowledge
–The hash function is to protect the private key from a
chosen-ciphertextattack
15
Authentication
•What is a secure channel?
–Messages sent are encrypted by a shared secret key
–Messages are authenticated using MAC
–The SSH public key-based authentication is used by the
server to authenticate the user at the other end of the
secure channel
–SSH also supports other kinds of authentication, such as
password authentication, which needsa secure channel.
•This challenge-response protocol is better than
asking the client to sign a challenge message
–Server gains zero knowledge
–The hash function is to protect the private key from a
chosen-ciphertextattack
15
SSH Agent
•The private key must be protected by a
passphrase.
–The passphrase is used to generate a key to
encrypt the private key stored in the file
system.
•An SSH agent can load the private key
into memory and perform the challenge-
response protocol on behalf of the user.
16
•The private key must be protected by a
passphrase.
–The passphrase is used to generate a key to
encrypt the private key stored in the file
system.
•An SSH agent can load the private key
into memory and perform the challenge-
response protocol on behalf of the user.
16
Using SSH Agent
Server
(Alice)
SSH
Client
SSH
Agent
~/.ssh/id_dsa
Client
(Bob)
SSH
Server
~/.ssh/authorized_keys
challenge c
response r
c r
17
Server
(Alice)
SSH
Client
SSH
Agent
~/.ssh/id_dsa
Client
(Bob)
SSH
Server
~/.ssh/authorized_keys
challenge c
response r
c r
17
Using SSH Agent
•SSH agent stores private keys in memory and performs
crypto calculation
–User only needs to enter passphrase when the agent retrieves
the private key
•Communication between SSH client and agent mediated
through file-system protection
–An SSH client can only connect to an agent started by the same
user, except for user root, who can connect to any user’s agent
•Advantage: user does not need to type in passphrase to
decrypt the private key every time he wants to log in.
18
•SSH agent stores private keys in memory and performs
crypto calculation
–User only needs to enter passphrase when the agent retrieves
the private key
•Communication between SSH client and agent mediated
through file-system protection
–An SSH client can only connect to an agent started by the same
user, except for user root, who can connect to any user’s agent
•Advantage: user does not need to type in passphrase to
decrypt the private key every time he wants to log in.
18
Agent Forwarding
SSH
Client
SSH
Agent
~/.ssh/id_dsa
SSH
Server
r
c
c r
SSH
Client
cr
r
c
19
Server
(Alice)
Client
(Bob)
SSH
Client
SSH
Agent
~/.ssh/id_dsa
SSH
Server
r
c
c r
SSH
Client
cr
r
c
19
Server
(Alice)
Client
(Bob)
Agent Forwarding
•Alice can contact the SSH agent on Bob through
the SSH channel if Bob allows his agent
connection to be forwarded to Alice
–SSH client on Alice becomes “man in the middle”
–Useful when the user on Bob wants to login to other
machines from Alice
–root user can always connect to forwarded agents
–Bob’s private key never leaves his machine; when
Bob tears down the connection with Alice, root on
Alice will no longer be able to impersonate Bob
20
•Alice can contact the SSH agent on Bob through
the SSH channel if Bob allows his agent
connection to be forwarded to Alice
–SSH client on Alice becomes “man in the middle”
–Useful when the user on Bob wants to login to other
machines from Alice
–root user can always connect to forwarded agents
–Bob’s private key never leaves his machine; when
Bob tears down the connection with Alice, root on
Alice will no longer be able to impersonate Bob
20
Exercise after class
•Set up public key-based authentication
using SSH agent for logging into
departmental Linux machines (e.g.,
grad.csee.usf.edu).
–Generate your public/private key pair
–Upload your public key to the server
–Figure out how to use SSH agent
–Find a clever way to start/connect to your
SSH agent
21
•Set up public key-based authentication
using SSH agent for logging into
departmental Linux machines (e.g.,
grad.csee.usf.edu).
–Generate your public/private key pair
–Upload your public key to the server
–Figure out how to use SSH agent
–Find a clever way to start/connect to your
SSH agent
21
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 78
- Slides 21
- Age 600 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
45 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
54 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
44 views
14
Fertility awareness methods for women in the society
Isaiah47
43 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
46 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
44 views